Linux: Implement interfaces for memory protection keys
Commit Message
This adds system call wrappers for pkey_alloc, pkey_free, pkey_mprotect,
and x86-64 implementations of pkey_get and pkey_set, which abstract over
the PKRU CPU register and hide the actual number of memory protection
keys supported by the CPU.
The system call wrapers use unsigned int instead of unsigned long for
parameters, so that no special treatment for x32 is needed. The flags
argument is currently unused, and the access rights bit mask is limited
to two bits by the current PKRU register layout anyway.
2017-11-04 Florian Weimer <fweimer@redhat.com>
Linux: Implement interfaces for memory protection keys
* support/Makefile (libsupport-routines): Add
support_test_compare_failure, xraise, xsigaction, xsignal,
xsysconf.
* support/check.h (TEST_COMPARE): New macro.
(support_test_compare_failure): Declare.
* support/xsignal.h (xraise, xsignal, xsigaction): Declare.
* support/xunistd.h (xsysconf): Declare.
* support/support_test_compare_failure.c: New file.
* support/xraise.c: Likewise.
* support/xsigaction.c: Likewise.
* support/xsignal.c: Likewise.
* support/xsysconf.c: Likewise.
* sysdeps/unix/sysv/linux/Makefile [misc] (routines): Add
pkey_set, pkey_get.
[misc] (tests): Add tst-pkey.
(tst-pkey): Link with -lpthread.
* sysdeps/unix/sysv/linux/Versions (GLIBC_2.27): Add pkey_alloc,
pkey_free, pkey_set, pkey_get, pkey_mprotect.
* sysdeps/unix/sysv/linux/bits/mman-linux.h (PKEY_DISABLE_ACCESS)
(PKEY_DISABLE_WRITE): Define.
(pkey_alloc, pkey_free, pkey_set, pkey_get, pkey_mprotect):
Declare.
* sysdeps/unix/sysv/linux/bits/siginfo-consts.h (SEGV_BNDERR)
(SEGV_PKUERR): Add.
* sysdeps/unix/sysv/linux/pkey_get.c: New file.
* sysdeps/unix/sysv/linux/pkey_set.c: Likewise.
* sysdeps/unix/sysv/linux/syscalls.list (pkey_alloc, pkey_free)
(pkey_mprotect): Add.
* sysdeps/unix/sysv/linux/tst-pkey.c: New file.
* sysdeps/unix/sysv/linux/x86_64/arch-pkey.h: Likewise.
* sysdeps/unix/sysv/linux/x86_64/pkey_get.c: Likewise.
* sysdeps/unix/sysv/linux/x86_64/pkey_set.c: Likewise.
* sysdeps/unix/sysv/linux/**.abilist: Update.
Comments
On 11/04/2017 06:49 PM, Florian Weimer wrote:
> This adds system call wrappers for pkey_alloc, pkey_free, pkey_mprotect,
> and x86-64 implementations of pkey_get and pkey_set, which abstract over
> the PKRU CPU register and hide the actual number of memory protection
> keys supported by the CPU.
>
> The system call wrapers use unsigned int instead of unsigned long for
> parameters, so that no special treatment for x32 is needed. The flags
> argument is currently unused, and the access rights bit mask is limited
> to two bits by the current PKRU register layout anyway.
I again forgot to add a NEWS entry.
Note that the manual pages for pkey_alloc etc. are currently quite
confusing (and we'd have to add one for pkey_set/pkey_get).
Thanks,
Florian
On Sun, 5 Nov 2017, Florian Weimer wrote:
> On 11/04/2017 06:49 PM, Florian Weimer wrote:
> > This adds system call wrappers for pkey_alloc, pkey_free, pkey_mprotect,
> > and x86-64 implementations of pkey_get and pkey_set, which abstract over
> > the PKRU CPU register and hide the actual number of memory protection
> > keys supported by the CPU.
> >
> > The system call wrapers use unsigned int instead of unsigned long for
> > parameters, so that no special treatment for x32 is needed. The flags
> > argument is currently unused, and the access rights bit mask is limited
> > to two bits by the current PKRU register layout anyway.
>
> I again forgot to add a NEWS entry.
Documentation in the glibc manual is also needed.
On 11/06/2017 02:29 PM, Joseph Myers wrote:
> On Sun, 5 Nov 2017, Florian Weimer wrote:
>
>> On 11/04/2017 06:49 PM, Florian Weimer wrote:
>>> This adds system call wrappers for pkey_alloc, pkey_free, pkey_mprotect,
>>> and x86-64 implementations of pkey_get and pkey_set, which abstract over
>>> the PKRU CPU register and hide the actual number of memory protection
>>> keys supported by the CPU.
>>>
>>> The system call wrapers use unsigned int instead of unsigned long for
>>> parameters, so that no special treatment for x32 is needed. The flags
>>> argument is currently unused, and the access rights bit mask is limited
>>> to two bits by the current PKRU register layout anyway.
>>
>> I again forgot to add a NEWS entry.
>
> Documentation in the glibc manual is also needed.
What's the general feeling about these interfaces? Shall we add them,
despite their limitations (especially with regard to key reuse)?
Then I'll write documentation.
Thanks,
Florian
>
> What's the general feeling about these interfaces? Shall we add them, despite their limitations (especially with regard to key reuse)?
>
> Then I'll write documentation.
This is currently only supported on x86 and I am not sure if it will be
ever used by other architectures, but Linux thinks its interface is
sufficient generic since it decided to extend it be part of generic
ABI. I also do not foresee this interface to be deprecated by any other
soon, so I think it should be a valuable adition.
Do you know any project that is already using it?
On 04/11/2017 15:49, Florian Weimer wrote:
> This adds system call wrappers for pkey_alloc, pkey_free, pkey_mprotect,
> and x86-64 implementations of pkey_get and pkey_set, which abstract over
> the PKRU CPU register and hide the actual number of memory protection
> keys supported by the CPU.
>
> The system call wrapers use unsigned int instead of unsigned long for
> parameters, so that no special treatment for x32 is needed. The flags
> argument is currently unused, and the access rights bit mask is limited
> to two bits by the current PKRU register layout anyway.
AFAIK there is no need to special handling of unsigned long, which is
32 bits on x32. There were issues of using {INLINE,INTERNAL}_SYSCALL
along with 64 bits arguments (off_t for instance) and it should be fixed
by 78ca091cdd2c. The only special handling is required for syscalls that
return 64 bits arguments, for instance 'times', which can't be handled
by {INLINE,INTERNAL}_SYSCALLS (x32 times.c get around by redefining
internal_syscall1 to return a 64 bits value).
So I think there is no reason to use a different symbol signature than
kernel.
>
> 2017-11-04 Florian Weimer <fweimer@redhat.com>
>
> Linux: Implement interfaces for memory protection keys
> * support/Makefile (libsupport-routines): Add
> support_test_compare_failure, xraise, xsigaction, xsignal,
> xsysconf.
> * support/check.h (TEST_COMPARE): New macro.
> (support_test_compare_failure): Declare.
> * support/xsignal.h (xraise, xsignal, xsigaction): Declare.
> * support/xunistd.h (xsysconf): Declare.
> * support/support_test_compare_failure.c: New file.
> * support/xraise.c: Likewise.
> * support/xsigaction.c: Likewise.
> * support/xsignal.c: Likewise.
> * support/xsysconf.c: Likewise.
> * sysdeps/unix/sysv/linux/Makefile [misc] (routines): Add
> pkey_set, pkey_get.
> [misc] (tests): Add tst-pkey.
> (tst-pkey): Link with -lpthread.
> * sysdeps/unix/sysv/linux/Versions (GLIBC_2.27): Add pkey_alloc,
> pkey_free, pkey_set, pkey_get, pkey_mprotect.
> * sysdeps/unix/sysv/linux/bits/mman-linux.h (PKEY_DISABLE_ACCESS)
> (PKEY_DISABLE_WRITE): Define.
> (pkey_alloc, pkey_free, pkey_set, pkey_get, pkey_mprotect):
> Declare.
> * sysdeps/unix/sysv/linux/bits/siginfo-consts.h (SEGV_BNDERR)
> (SEGV_PKUERR): Add.
> * sysdeps/unix/sysv/linux/pkey_get.c: New file.
> * sysdeps/unix/sysv/linux/pkey_set.c: Likewise.
> * sysdeps/unix/sysv/linux/syscalls.list (pkey_alloc, pkey_free)
> (pkey_mprotect): Add.
> * sysdeps/unix/sysv/linux/tst-pkey.c: New file.
> * sysdeps/unix/sysv/linux/x86_64/arch-pkey.h: Likewise.
> * sysdeps/unix/sysv/linux/x86_64/pkey_get.c: Likewise.
> * sysdeps/unix/sysv/linux/x86_64/pkey_set.c: Likewise.
> * sysdeps/unix/sysv/linux/**.abilist: Update.
>
> diff --git a/support/Makefile b/support/Makefile
> index dafb1737a4..50d4269e24 100644
> --- a/support/Makefile
> +++ b/support/Makefile
> @@ -52,9 +52,10 @@ libsupport-routines = \
> support_record_failure \
> support_run_diff \
> support_shared_allocate \
> - support_write_file_string \
> + support_test_compare_failure \
> support_test_main \
> support_test_verify_impl \
> + support_write_file_string \
> temp_file \
> write_message \
> xaccept \
> @@ -84,8 +85,8 @@ libsupport-routines = \
> xpthread_attr_destroy \
> xpthread_attr_init \
> xpthread_attr_setdetachstate \
> - xpthread_attr_setstacksize \
> xpthread_attr_setguardsize \
> + xpthread_attr_setstacksize \
> xpthread_barrier_destroy \
> xpthread_barrier_init \
> xpthread_barrier_wait \
> @@ -116,14 +117,18 @@ libsupport-routines = \
> xpthread_sigmask \
> xpthread_spin_lock \
> xpthread_spin_unlock \
> + xraise \
> xreadlink \
> xrealloc \
> xrecvfrom \
> xsendto \
> xsetsockopt \
> + xsigaction \
> + xsignal \
> xsocket \
> xstrdup \
> xstrndup \
> + xsysconf \
> xunlink \
> xwaitpid \
> xwrite \
> diff --git a/support/check.h b/support/check.h
> index bdcd12952a..29b709c2b0 100644
> --- a/support/check.h
> +++ b/support/check.h
> @@ -86,6 +86,35 @@ void support_test_verify_exit_impl (int status, const char *file, int line,
> does not support reporting failures from a DSO. */
> void support_record_failure (void);
>
> +/* Compare the two numbers LEFT and RIGHT and report failure if they
> + are different. */
> +#define TEST_COMPARE(left, right) \
> + ({ \
> + __typeof__ (left) __left_value = (left); \
> + __typeof__ (right) __right_value = (right); \
> + _Static_assert (sizeof (__left_value) <= sizeof (long long), \
> + "left value fits into long long"); \
> + _Static_assert (sizeof (__right_value) <= sizeof (long long), \
> + "right value fits into long long"); \
> + if (__left_value != __right_value \
> + || ((__left_value > 0) != (__right_value > 0))) \
> + support_test_compare_failure \
> + (__FILE__, __LINE__, \
> + #left, __left_value, __left_value > 0, \
> + #right, __right_value, __right_value > 0); \
> + })
> +
I think the macro name should be more explicit since it is not only
comparing two number but also their size.
> +/* Internal implementation of TEST_COMPARE. LEFT_POSITIVE and
> + RIGHT_POSITIVE are used to fit both unsigned long long and long
> + long arguments into LEFT_VALUE and RIGHT_VALUE. */
> +void support_test_compare_failure (const char *file, int line,
> + const char *left_expr,
> + long long left_value,
> + int left_positive,
> + const char *right_expr,
> + long long right_value,
> + int right_positive);
> +
> /* Internal function called by the test driver. */
> int support_report_failure (int status)
> __attribute__ ((weak, warn_unused_result));
> diff --git a/support/support_test_compare_failure.c b/support/support_test_compare_failure.c
> new file mode 100644
> index 0000000000..38fec1ca89
> --- /dev/null
> +++ b/support/support_test_compare_failure.c
> @@ -0,0 +1,46 @@
> +/* Reporting mumeric comparison failure.
Typo.
> + Copyright (C) 2017 Free Software Foundation, Inc.
> + This file is part of the GNU C Library.
> +
> + The GNU C Library is free software; you can redistribute it and/or
> + modify it under the terms of the GNU Lesser General Public
> + License as published by the Free Software Foundation; either
> + version 2.1 of the License, or (at your option) any later version.
> +
> + The GNU C Library is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + Lesser General Public License for more details.
> +
> + You should have received a copy of the GNU Lesser General Public
> + License along with the GNU C Library; if not, see
> + <http://www.gnu.org/licenses/>. */
> +
> +#include <stdio.h>
> +#include <support/check.h>
> +
> +static void
> +report (const char *which, const char *expr, long long value, int positive)
> +{
> + printf (" %s: ", which);
> + if (positive)
> + printf ("%llu", (unsigned long long) value);
> + else
> + printf ("%lld", value);
> + printf (" (0x%llx); from: %s\n", (unsigned long long) value, expr);
> +}
> +
> +void
> +support_test_compare_failure (const char *file, int line,
> + const char *left_expr,
> + long long left_value,
> + int left_positive,
> + const char *right_expr,
> + long long right_value,
> + int right_positive)
> +{
> + support_record_failure ();
> + printf ("%s:%d: numeric comparison failure\n", file, line);
> + report (" left", left_expr, left_value, left_positive);
> + report ("right", right_expr, right_value, right_positive);
> +}
Ok.
> diff --git a/support/xraise.c b/support/xraise.c
> new file mode 100644
> index 0000000000..9126c6c3ea
> --- /dev/null
> +++ b/support/xraise.c
> @@ -0,0 +1,27 @@
> +/* Error-checking wrapper for raise.
> + Copyright (C) 2017 Free Software Foundation, Inc.
> + This file is part of the GNU C Library.
> +
> + The GNU C Library is free software; you can redistribute it and/or
> + modify it under the terms of the GNU Lesser General Public
> + License as published by the Free Software Foundation; either
> + version 2.1 of the License, or (at your option) any later version.
> +
> + The GNU C Library is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + Lesser General Public License for more details.
> +
> + You should have received a copy of the GNU Lesser General Public
> + License along with the GNU C Library; if not, see
> + <http://www.gnu.org/licenses/>. */
> +
> +#include <support/check.h>
> +#include <support/xsignal.h>
> +
> +void
> +xraise (int sig)
> +{
> + if (raise (sig) != 0)
> + FAIL_EXIT1 ("raise (%d): %m" , sig);
> +}
> diff --git a/support/xsigaction.c b/support/xsigaction.c
Ok.
> new file mode 100644
> index 0000000000..b74c69afae
> --- /dev/null
> +++ b/support/xsigaction.c
> @@ -0,0 +1,27 @@
> +/* Error-checking wrapper for sigaction.
> + Copyright (C) 2017 Free Software Foundation, Inc.
> + This file is part of the GNU C Library.
> +
> + The GNU C Library is free software; you can redistribute it and/or
> + modify it under the terms of the GNU Lesser General Public
> + License as published by the Free Software Foundation; either
> + version 2.1 of the License, or (at your option) any later version.
> +
> + The GNU C Library is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + Lesser General Public License for more details.
> +
> + You should have received a copy of the GNU Lesser General Public
> + License along with the GNU C Library; if not, see
> + <http://www.gnu.org/licenses/>. */
> +
> +#include <support/check.h>
> +#include <support/xsignal.h>
> +
> +void
> +xsigaction (int sig, const struct sigaction *newact, struct sigaction *oldact)
> +{
> + if (sigaction (sig, newact, oldact))
> + FAIL_EXIT1 ("sigaction (%d): %m" , sig);
> +}
> diff --git a/support/xsignal.c b/support/xsignal.c
Ok.
> new file mode 100644
> index 0000000000..22a1dd74a7
> --- /dev/null
> +++ b/support/xsignal.c
> @@ -0,0 +1,29 @@
> +/* Error-checking wrapper for signal.
> + Copyright (C) 2017 Free Software Foundation, Inc.
> + This file is part of the GNU C Library.
> +
> + The GNU C Library is free software; you can redistribute it and/or
> + modify it under the terms of the GNU Lesser General Public
> + License as published by the Free Software Foundation; either
> + version 2.1 of the License, or (at your option) any later version.
> +
> + The GNU C Library is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + Lesser General Public License for more details.
> +
> + You should have received a copy of the GNU Lesser General Public
> + License along with the GNU C Library; if not, see
> + <http://www.gnu.org/licenses/>. */
> +
> +#include <support/check.h>
> +#include <support/xsignal.h>
> +
> +sighandler_t
> +xsignal (int sig, sighandler_t handler)
> +{
> + sighandler_t result = signal (sig, handler);
> + if (result == SIG_ERR)
> + FAIL_EXIT1 ("signal (%d, %p): %m", sig, handler);
> + return result;
> +}
> diff --git a/support/xsignal.h b/support/xsignal.h
Ok.
> index 3dc0d9d5ce..3087ed0082 100644
> --- a/support/xsignal.h
> +++ b/support/xsignal.h
> @@ -24,6 +24,14 @@
>
> __BEGIN_DECLS
>
> +/* The following functions call the corresponding libc functions and
> + terminate the process on error. */
> +
> +void xraise (int sig);
> +sighandler_t xsignal (int sig, sighandler_t handler);
> +void xsigaction (int sig, const struct sigaction *newact,
> + struct sigaction *oldact);
> +
> /* The following functions call the corresponding libpthread functions
> and terminate the process on error. */
>
Ok.
> diff --git a/support/xsysconf.c b/support/xsysconf.c
> new file mode 100644
> index 0000000000..15ab1e26c4
> --- /dev/null
> +++ b/support/xsysconf.c
> @@ -0,0 +1,36 @@
> +/* Error-checking wrapper for sysconf.
> + Copyright (C) 2017 Free Software Foundation, Inc.
> + This file is part of the GNU C Library.
> +
> + The GNU C Library is free software; you can redistribute it and/or
> + modify it under the terms of the GNU Lesser General Public
> + License as published by the Free Software Foundation; either
> + version 2.1 of the License, or (at your option) any later version.
> +
> + The GNU C Library is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + Lesser General Public License for more details.
> +
> + You should have received a copy of the GNU Lesser General Public
> + License along with the GNU C Library; if not, see
> + <http://www.gnu.org/licenses/>. */
> +
> +#include <errno.h>
> +#include <support/check.h>
> +#include <support/xunistd.h>
> +
> +long
> +xsysconf (int name)
> +{
> + /* Detect errors by a changed errno value, in case -1 is a valid
> + value. Make sure that the caller does not see the zero value for
> + errno. */
> + int old_errno = errno;
> + errno = 0;
> + long result = sysconf (name);
> + if (errno != 0)
> + FAIL_EXIT1 ("sysconf (%d): %m", name);
> + errno = old_errno;
> + return result;
> +}
Ok.
> diff --git a/support/xunistd.h b/support/xunistd.h
> index 05c2626a7b..00376f7aae 100644
> --- a/support/xunistd.h
> +++ b/support/xunistd.h
> @@ -39,6 +39,7 @@ void xstat (const char *path, struct stat64 *);
> void xmkdir (const char *path, mode_t);
> void xchroot (const char *path);
> void xunlink (const char *path);
> +long xsysconf (int name);
>
> /* Read the link at PATH. The caller should free the returned string
> with free. */
> diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile
> index 53e41510e3..095cf93892 100644
> --- a/sysdeps/unix/sysv/linux/Makefile
> +++ b/sysdeps/unix/sysv/linux/Makefile
> @@ -18,7 +18,7 @@ sysdep_routines += clone umount umount2 readahead \
> setfsuid setfsgid epoll_pwait signalfd \
> eventfd eventfd_read eventfd_write prlimit \
> personality epoll_wait tee vmsplice splice \
> - open_by_handle_at
> + open_by_handle_at pkey_set pkey_get
>
> CFLAGS-gethostid.c = -fexceptions
> CFLAGS-tee.c = -fexceptions -fasynchronous-unwind-tables
> @@ -44,7 +44,7 @@ sysdep_headers += sys/mount.h sys/acct.h sys/sysctl.h \
>
> tests += tst-clone tst-clone2 tst-clone3 tst-fanotify tst-personality \
> tst-quota tst-sync_file_range test-errno-linux tst-sysconf-iov_max \
> - tst-memfd_create
> + tst-memfd_create tst-pkey
>
> # Generate the list of SYS_* macros for the system calls (__NR_*
> # macros). The file syscall-names.list contains all possible system
> @@ -92,6 +92,8 @@ $(objpfx)tst-syscall-list.out: \
> # Separate object file for access to the constant from the UAPI header.
> $(objpfx)tst-sysconf-iov_max: $(objpfx)tst-sysconf-iov_max-uapi.o
>
> +$(objpfx)tst-pkey: $(shared-thread-library)
> +
> endif # $(subdir) == misc
>
> ifeq ($(subdir),time)
> diff --git a/sysdeps/unix/sysv/linux/Versions b/sysdeps/unix/sysv/linux/Versions
> index 992c19729f..798ffc7660 100644
> --- a/sysdeps/unix/sysv/linux/Versions
> +++ b/sysdeps/unix/sysv/linux/Versions
> @@ -168,6 +168,7 @@ libc {
> }
> GLIBC_2.27 {
> memfd_create;
> + pkey_alloc; pkey_free; pkey_set; pkey_get; pkey_mprotect;
> }
> GLIBC_PRIVATE {
> # functions used in other libraries
> diff --git a/sysdeps/unix/sysv/linux/aarch64/libc.abilist b/sysdeps/unix/sysv/linux/aarch64/libc.abilist
> index 140ca28abc..85788be12b 100644
> --- a/sysdeps/unix/sysv/linux/aarch64/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/aarch64/libc.abilist
> @@ -2107,6 +2107,11 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> GLIBC_2.27 strfromf128 F
> GLIBC_2.27 strtof128 F
> GLIBC_2.27 strtof128_l F
> diff --git a/sysdeps/unix/sysv/linux/alpha/libc.abilist b/sysdeps/unix/sysv/linux/alpha/libc.abilist
> index f698e1b2f4..3b463dacbe 100644
> --- a/sysdeps/unix/sysv/linux/alpha/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/alpha/libc.abilist
> @@ -2018,6 +2018,11 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> GLIBC_2.27 strfromf128 F
> GLIBC_2.27 strtof128 F
> GLIBC_2.27 strtof128_l F
> diff --git a/sysdeps/unix/sysv/linux/arm/libc.abilist b/sysdeps/unix/sysv/linux/arm/libc.abilist
> index 8a8af3e3e4..a1315aef35 100644
> --- a/sysdeps/unix/sysv/linux/arm/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/arm/libc.abilist
> @@ -108,6 +108,11 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> GLIBC_2.4 GLIBC_2.4 A
> GLIBC_2.4 _Exit F
> GLIBC_2.4 _IO_2_1_stderr_ D 0xa0
> diff --git a/sysdeps/unix/sysv/linux/bits/mman-linux.h b/sysdeps/unix/sysv/linux/bits/mman-linux.h
> index b091181960..da5ec79334 100644
> --- a/sysdeps/unix/sysv/linux/bits/mman-linux.h
> +++ b/sysdeps/unix/sysv/linux/bits/mman-linux.h
> @@ -109,3 +109,38 @@
> # define MCL_ONFAULT 4 /* Lock all pages that are
> faulted in. */
> #endif
> +
> +/* Memory protection key support. */
> +#ifdef __USE_GNU
> +
> +/* FLags for pkey_alloc. */
> +# define PKEY_DISABLE_ACCESS 0x1
> +# define PKEY_DISABLE_WRITE 0x2
Typo on 'FLags'.
> +
> +__BEGIN_DECLS
> +
> +/* Allocate a new protection key, with the PKEY_DISABLE_* bits
> + specified in ACCESS_RIGHTS. The protection key mask for the
> + current thread is updated to match the access privilege for the new
> + key. */
> +int pkey_alloc (unsigned int __flags, unsigned int __access_rights) __THROW;
> +
> +/* Update the access rights for the current thread for KEY, which must
> + have been allocated using pkey_alloc. */
> +int pkey_set (int __key, unsigned int __access_rights) __THROW;
> +
> +/* Return the access rights for the current thread for KEY, which must
> + have been allocated using pkey_alloc. */
> +int pkey_get (int _key) __THROW;
> +
> +/* Free an allocated protection key,/ which must have been allocated
> + using pkey_alloc. */
> +int pkey_free (int __key) __THROW;
> +
> +/* Apply memory protection flags for KEY to the specified address
> + range. */
> +int pkey_mprotect (void *__addr, size_t __len, int __prot, int __pkey) __THROW;
> +
> +__END_DECLS
> +
> +#endif /* __USE_GNU */
> diff --git a/sysdeps/unix/sysv/linux/bits/siginfo-consts.h b/sysdeps/unix/sysv/linux/bits/siginfo-consts.h
> index 525840cea1..e86b933040 100644
> --- a/sysdeps/unix/sysv/linux/bits/siginfo-consts.h
> +++ b/sysdeps/unix/sysv/linux/bits/siginfo-consts.h
> @@ -111,8 +111,12 @@ enum
> {
> SEGV_MAPERR = 1, /* Address not mapped to object. */
> # define SEGV_MAPERR SEGV_MAPERR
> - SEGV_ACCERR /* Invalid permissions for mapped object. */
> + SEGV_ACCERR, /* Invalid permissions for mapped object. */
> # define SEGV_ACCERR SEGV_ACCERR
> + SEGV_BNDERR, /* Bounds checking failure. */
> +# define SEGV_BNDERR SEGV_BNDERR
> + SEGV_PKUERR /* Protection key checking failure. */
> +# define SEGV_PKUERR SEGV_PKUERR
> };
>
> /* `si_code' values for SIGBUS signal. */
Ok.
> diff --git a/sysdeps/unix/sysv/linux/hppa/libc.abilist b/sysdeps/unix/sysv/linux/hppa/libc.abilist
> index 5b81a6cd7d..7397d728f2 100644
> --- a/sysdeps/unix/sysv/linux/hppa/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/hppa/libc.abilist
> @@ -1872,6 +1872,11 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> GLIBC_2.3 GLIBC_2.3 A
> GLIBC_2.3 __ctype_b_loc F
> GLIBC_2.3 __ctype_tolower_loc F
> diff --git a/sysdeps/unix/sysv/linux/i386/libc.abilist b/sysdeps/unix/sysv/linux/i386/libc.abilist
> index 51ead9e867..cffdf251d6 100644
> --- a/sysdeps/unix/sysv/linux/i386/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/i386/libc.abilist
> @@ -2037,6 +2037,11 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> GLIBC_2.3 GLIBC_2.3 A
> GLIBC_2.3 __ctype_b_loc F
> GLIBC_2.3 __ctype_tolower_loc F
> diff --git a/sysdeps/unix/sysv/linux/ia64/libc.abilist b/sysdeps/unix/sysv/linux/ia64/libc.abilist
> index 78b4ee8d40..3292510a55 100644
> --- a/sysdeps/unix/sysv/linux/ia64/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/ia64/libc.abilist
> @@ -1901,6 +1901,11 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> GLIBC_2.3 GLIBC_2.3 A
> GLIBC_2.3 __ctype_b_loc F
> GLIBC_2.3 __ctype_tolower_loc F
> diff --git a/sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist b/sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist
> index d9c97779e4..636bbdd1a7 100644
> --- a/sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/m68k/coldfire/libc.abilist
> @@ -109,6 +109,11 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> GLIBC_2.4 GLIBC_2.4 A
> GLIBC_2.4 _Exit F
> GLIBC_2.4 _IO_2_1_stderr_ D 0x98
> diff --git a/sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist b/sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist
> index 4acbf7eeed..6952863f86 100644
> --- a/sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/m68k/m680x0/libc.abilist
> @@ -1986,6 +1986,11 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> GLIBC_2.3 GLIBC_2.3 A
> GLIBC_2.3 __ctype_b_loc F
> GLIBC_2.3 __ctype_tolower_loc F
> diff --git a/sysdeps/unix/sysv/linux/microblaze/libc.abilist b/sysdeps/unix/sysv/linux/microblaze/libc.abilist
> index 93f02f08ce..ac5b56abab 100644
> --- a/sysdeps/unix/sysv/linux/microblaze/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/microblaze/libc.abilist
> @@ -2107,3 +2107,8 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> diff --git a/sysdeps/unix/sysv/linux/mips/mips32/fpu/libc.abilist b/sysdeps/unix/sysv/linux/mips/mips32/fpu/libc.abilist
> index 795e85de70..bb0958e842 100644
> --- a/sysdeps/unix/sysv/linux/mips/mips32/fpu/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/mips/mips32/fpu/libc.abilist
> @@ -1961,6 +1961,11 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> GLIBC_2.3 GLIBC_2.3 A
> GLIBC_2.3 __ctype_b_loc F
> GLIBC_2.3 __ctype_tolower_loc F
> diff --git a/sysdeps/unix/sysv/linux/mips/mips32/nofpu/libc.abilist b/sysdeps/unix/sysv/linux/mips/mips32/nofpu/libc.abilist
> index dc714057b7..9104eb4d6d 100644
> --- a/sysdeps/unix/sysv/linux/mips/mips32/nofpu/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/mips/mips32/nofpu/libc.abilist
> @@ -1959,6 +1959,11 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> GLIBC_2.3 GLIBC_2.3 A
> GLIBC_2.3 __ctype_b_loc F
> GLIBC_2.3 __ctype_tolower_loc F
> diff --git a/sysdeps/unix/sysv/linux/mips/mips64/n32/libc.abilist b/sysdeps/unix/sysv/linux/mips/mips64/n32/libc.abilist
> index ce7bc9b175..58a5d5e141 100644
> --- a/sysdeps/unix/sysv/linux/mips/mips64/n32/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/mips/mips64/n32/libc.abilist
> @@ -1957,6 +1957,11 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> GLIBC_2.27 strfromf128 F
> GLIBC_2.27 strtof128 F
> GLIBC_2.27 strtof128_l F
> diff --git a/sysdeps/unix/sysv/linux/mips/mips64/n64/libc.abilist b/sysdeps/unix/sysv/linux/mips/mips64/n64/libc.abilist
> index 3fdd85eace..2efac14a7d 100644
> --- a/sysdeps/unix/sysv/linux/mips/mips64/n64/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/mips/mips64/n64/libc.abilist
> @@ -1952,6 +1952,11 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> GLIBC_2.27 strfromf128 F
> GLIBC_2.27 strtof128 F
> GLIBC_2.27 strtof128_l F
> diff --git a/sysdeps/unix/sysv/linux/nios2/libc.abilist b/sysdeps/unix/sysv/linux/nios2/libc.abilist
> index 3e0bcb2a5c..9ef29e4e98 100644
> --- a/sysdeps/unix/sysv/linux/nios2/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/nios2/libc.abilist
> @@ -2148,3 +2148,8 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> diff --git a/sysdeps/unix/sysv/linux/pkey_get.c b/sysdeps/unix/sysv/linux/pkey_get.c
> new file mode 100644
> index 0000000000..fc3204c82f
> --- /dev/null
> +++ b/sysdeps/unix/sysv/linux/pkey_get.c
> @@ -0,0 +1,26 @@
> +/* Obtaining the thread memory protection key, generic stub.
> + Copyright (C) 2017 Free Software Foundation, Inc.
> + This file is part of the GNU C Library.
> +
> + The GNU C Library is free software; you can redistribute it and/or
> + modify it under the terms of the GNU Lesser General Public
> + License as published by the Free Software Foundation; either
> + version 2.1 of the License, or (at your option) any later version.
> +
> + The GNU C Library is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + Lesser General Public License for more details.
> +
> + You should have received a copy of the GNU Lesser General Public
> + License along with the GNU C Library; if not, see
> + <http://www.gnu.org/licenses/>. */
> +
> +#include <errno.h>
> +
> +int
> +pkey_get (int key)
> +{
> + __set_errno (ENOSYS);
> + return -1;
> +}
Ok.
> diff --git a/sysdeps/unix/sysv/linux/pkey_set.c b/sysdeps/unix/sysv/linux/pkey_set.c
> new file mode 100644
> index 0000000000..f686c4373c
> --- /dev/null
> +++ b/sysdeps/unix/sysv/linux/pkey_set.c
> @@ -0,0 +1,26 @@
> +/* Changing the thread memory protection key, generic stub.
> + Copyright (C) 2017 Free Software Foundation, Inc.
> + This file is part of the GNU C Library.
> +
> + The GNU C Library is free software; you can redistribute it and/or
> + modify it under the terms of the GNU Lesser General Public
> + License as published by the Free Software Foundation; either
> + version 2.1 of the License, or (at your option) any later version.
> +
> + The GNU C Library is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + Lesser General Public License for more details.
> +
> + You should have received a copy of the GNU Lesser General Public
> + License along with the GNU C Library; if not, see
> + <http://www.gnu.org/licenses/>. */
> +
> +#include <errno.h>
> +
> +int
> +pkey_set (int key, unsigned int access_rights)
> +{
> + __set_errno (ENOSYS);
> + return -1;
> +}
Ok.
> diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/libc.abilist b/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/libc.abilist
> index 375c69d9d1..60c024096f 100644
> --- a/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/powerpc/powerpc32/fpu/libc.abilist
> @@ -1990,6 +1990,11 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> GLIBC_2.3 GLIBC_2.3 A
> GLIBC_2.3 __ctype_b_loc F
> GLIBC_2.3 __ctype_tolower_loc F
> diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/libc.abilist b/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/libc.abilist
> index a88172a906..327933c973 100644
> --- a/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/powerpc/powerpc32/nofpu/libc.abilist
> @@ -1995,6 +1995,11 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> GLIBC_2.3 GLIBC_2.3 A
> GLIBC_2.3 __ctype_b_loc F
> GLIBC_2.3 __ctype_tolower_loc F
> diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc64/libc-le.abilist b/sysdeps/unix/sysv/linux/powerpc/powerpc64/libc-le.abilist
> index fa026a332c..b04c31bc10 100644
> --- a/sysdeps/unix/sysv/linux/powerpc/powerpc64/libc-le.abilist
> +++ b/sysdeps/unix/sysv/linux/powerpc/powerpc64/libc-le.abilist
> @@ -2202,3 +2202,8 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> diff --git a/sysdeps/unix/sysv/linux/powerpc/powerpc64/libc.abilist b/sysdeps/unix/sysv/linux/powerpc/powerpc64/libc.abilist
> index 838f395d78..e0645e9e25 100644
> --- a/sysdeps/unix/sysv/linux/powerpc/powerpc64/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/powerpc/powerpc64/libc.abilist
> @@ -109,6 +109,11 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> GLIBC_2.3 GLIBC_2.3 A
> GLIBC_2.3 _Exit F
> GLIBC_2.3 _IO_2_1_stderr_ D 0xe0
> diff --git a/sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist b/sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist
> index 41b79c496a..ef434c61a7 100644
> --- a/sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/s390/s390-32/libc.abilist
> @@ -1990,6 +1990,11 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> GLIBC_2.27 strfromf128 F
> GLIBC_2.27 strtof128 F
> GLIBC_2.27 strtof128_l F
> diff --git a/sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist b/sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist
> index 68251a0e69..4114a4ce57 100644
> --- a/sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/s390/s390-64/libc.abilist
> @@ -1891,6 +1891,11 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> GLIBC_2.27 strfromf128 F
> GLIBC_2.27 strtof128 F
> GLIBC_2.27 strtof128_l F
> diff --git a/sysdeps/unix/sysv/linux/sh/libc.abilist b/sysdeps/unix/sysv/linux/sh/libc.abilist
> index bc1aae275e..f4478b0cc5 100644
> --- a/sysdeps/unix/sysv/linux/sh/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/sh/libc.abilist
> @@ -1876,6 +1876,11 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> GLIBC_2.3 GLIBC_2.3 A
> GLIBC_2.3 __ctype_b_loc F
> GLIBC_2.3 __ctype_tolower_loc F
> diff --git a/sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist b/sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist
> index 93e6d092ac..136a57fc0e 100644
> --- a/sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/sparc/sparc32/libc.abilist
> @@ -1983,6 +1983,11 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> GLIBC_2.27 strfromf128 F
> GLIBC_2.27 strtof128 F
> GLIBC_2.27 strtof128_l F
> diff --git a/sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist b/sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist
> index b11d6764d4..9ad0790829 100644
> --- a/sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/sparc/sparc64/libc.abilist
> @@ -1920,6 +1920,11 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> GLIBC_2.27 strfromf128 F
> GLIBC_2.27 strtof128 F
> GLIBC_2.27 strtof128_l F
> diff --git a/sysdeps/unix/sysv/linux/syscalls.list b/sysdeps/unix/sysv/linux/syscalls.list
> index 40c4fbb9ea..6f657eea2e 100644
> --- a/sysdeps/unix/sysv/linux/syscalls.list
> +++ b/sysdeps/unix/sysv/linux/syscalls.list
> @@ -110,3 +110,6 @@ setns EXTRA setns i:ii setns
> process_vm_readv EXTRA process_vm_readv i:ipipii process_vm_readv
> process_vm_writev EXTRA process_vm_writev i:ipipii process_vm_writev
> memfd_create EXTRA memfd_create i:si memfd_create
> +pkey_alloc EXTRA pkey_alloc i:ii pkey_alloc
> +pkey_free EXTRA pkey_free i:i pkey_free
> +pkey_mprotect EXTRA pkey_mprotect i:aiii pkey_mprotect
I do not think we can them as default since build against kernel headers
older than v4.9 won't have __NR_pkey_{alloc,free,mprotect). We need
default implementation with #ifdef __NR_....
> diff --git a/sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/libc.abilist b/sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/libc.abilist
> index e9eb4ff7bd..d4f2094027 100644
> --- a/sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/tile/tilegx/tilegx32/libc.abilist
> @@ -2114,3 +2114,8 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> diff --git a/sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/libc.abilist b/sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/libc.abilist
> index 8f08e909cd..4916dbabb5 100644
> --- a/sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/tile/tilegx/tilegx64/libc.abilist
> @@ -2114,3 +2114,8 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> diff --git a/sysdeps/unix/sysv/linux/tile/tilepro/libc.abilist b/sysdeps/unix/sysv/linux/tile/tilepro/libc.abilist
> index e9eb4ff7bd..d4f2094027 100644
> --- a/sysdeps/unix/sysv/linux/tile/tilepro/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/tile/tilepro/libc.abilist
> @@ -2114,3 +2114,8 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> diff --git a/sysdeps/unix/sysv/linux/tst-pkey.c b/sysdeps/unix/sysv/linux/tst-pkey.c
> new file mode 100644
> index 0000000000..3c1f3cfa39
> --- /dev/null
> +++ b/sysdeps/unix/sysv/linux/tst-pkey.c
> @@ -0,0 +1,320 @@
> +/* Tests for memory protection keys.
> + Copyright (C) 2017 Free Software Foundation, Inc.
> + This file is part of the GNU C Library.
> +
> + The GNU C Library is free software; you can redistribute it and/or
> + modify it under the terms of the GNU Lesser General Public
> + License as published by the Free Software Foundation; either
> + version 2.1 of the License, or (at your option) any later version.
> +
> + The GNU C Library is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + Lesser General Public License for more details.
> +
> + You should have received a copy of the GNU Lesser General Public
> + License along with the GNU C Library; if not, see
> + <http://www.gnu.org/licenses/>. */
> +
> +#include <errno.h>
> +#include <inttypes.h>
> +#include <setjmp.h>
> +#include <stdbool.h>
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <string.h>
> +#include <support/check.h>
> +#include <support/support.h>
> +#include <support/test-driver.h>
> +#include <support/xsignal.h>
> +#include <support/xthread.h>
> +#include <support/xunistd.h>
> +#include <sys/mman.h>
> +
> +/* Used to force threads to wait until the main thread has set up the
> + keys as intended. */
> +static pthread_barrier_t barrier;
> +
> +/* The keys used for testing. These have been allocated with access
> + rights set based on their array index. */
> +enum { key_count = 4 };
> +static int keys[key_count];
> +static volatile int *pages[key_count];
> +
> +/* Used to report results from the signal handler. */
> +static volatile void *sigsegv_addr;
> +static volatile int sigsegv_code;
> +static volatile int sigsegv_pkey;
> +static sigjmp_buf sigsegv_jmp;
> +
> +/* Used to handle expected read or write faults. */
> +static void
> +sigsegv_handler (int signum, siginfo_t *info, void *context)
> +{
> + sigsegv_addr = info->si_addr;
> + sigsegv_code = info->si_code;
> + sigsegv_pkey = info->si_pkey;
> + siglongjmp (sigsegv_jmp, 2);
> +}
> +
> +static const struct sigaction sigsegv_sigaction =
> + {
> + .sa_flags = SA_RESETHAND | SA_SIGINFO,
> + .sa_sigaction = &sigsegv_handler,
> + };
> +
> +/* Check if PAGE is readable (if !WRITE) or writable (if WRITE). */
> +static bool
> +check_page_access (int page, bool write)
> +{
> + /* This is needed to work around bug 22396: On x86-64, siglongjmp
> + does not restore the protection key access rights for the current
> + thread. We restore only the access rights for the keys under
> + test. (This is not a general solution to this problem, but it
> + allows testing to proceed after a fault.) */
> + unsigned saved_rights[key_count];
> + for (int i = 0; i < key_count; ++i)
> + saved_rights[i] = pkey_get (keys[i]);
> +
> + volatile int *addr = pages[page];
> + if (test_verbose > 0)
> + {
> + printf ("info: checking access at %p (page %d) for %s\n",
> + addr, page, write ? "writing" : "reading");
> + }
> + int result = sigsetjmp (sigsegv_jmp, 1);
> + if (result == 0)
> + {
> + xsigaction (SIGSEGV, &sigsegv_sigaction, NULL);
> + if (write)
> + *addr = 3;
> + else
> + (void) *addr;
> + xsignal (SIGSEGV, SIG_DFL);
> + if (test_verbose > 0)
> + puts (" --> access allowed");
> + return true;
> + }
> + else
> + {
> + xsignal (SIGSEGV, SIG_DFL);
> + if (test_verbose > 0)
> + puts (" --> access denied");
> + TEST_COMPARE (result, 2);
> + TEST_COMPARE ((uintptr_t) sigsegv_addr, (uintptr_t) addr);
> + TEST_COMPARE (sigsegv_code, SEGV_PKUERR);
> + TEST_COMPARE (sigsegv_pkey, keys[page]);
> + for (int i = 0; i < key_count; ++i)
> + TEST_COMPARE (pkey_set (keys[i], saved_rights[i]), 0);
> + return false;
> + }
> +}
> +
> +static volatile sig_atomic_t sigusr1_handler_ran;
> +
> +/* Used to check that access is revoked in signal handlers. */
> +static void
> +sigusr1_handler (int signum)
> +{
> + TEST_COMPARE (signum, SIGUSR1);
> + for (int i = 0; i < key_count; ++i)
> + TEST_COMPARE (pkey_get (keys[i]), PKEY_DISABLE_ACCESS);
> + sigusr1_handler_ran = 1;
> +}
> +
> +/* Used to report results from other threads. */
> +struct thread_result
> +{
> + int access_rights[key_count];
> + pthread_t next_thread;
> +};
> +
> +/* Return the thread's access rights for the keys under test. */
> +static void *
> +get_thread_func (void *closure)
> +{
> + struct thread_result *result = xmalloc (sizeof (*result));
> + for (int i = 0; i < key_count; ++i)
> + result->access_rights[i] = pkey_get (keys[i]);
> + memset (&result->next_thread, 0, sizeof (result->next_thread));
> + return result;
> +}
> +
> +/* Wait for initialization and then check that the current thread does
> + not have access through the keys under test. */
> +static void *
> +initial_thread_func (void *closure)
> +{
> + pthread_barrier_wait (&barrier);
> + struct thread_result *result = get_thread_func (NULL);
> +
> + /* Also check directly. This code should not run with other threads
> + in parallel because of the SIGSEGV handler which is installed by
> + check_page_access. */
> + for (int i = 0; i < key_count; ++i)
> + {
> + TEST_VERIFY (!check_page_access (i, false));
> + TEST_VERIFY (!check_page_access (i, true));
> + }
> +
> + result->next_thread = xpthread_create (NULL, get_thread_func, NULL);
> + return result;
> +}
> +
> +static int
> +do_test (void)
> +{
> + long pagesize = xsysconf (_SC_PAGESIZE);
> +
> + xpthread_barrier_init (&barrier, NULL, 2);
> + pthread_t initial_thread = xpthread_create
> + (NULL, &initial_thread_func, NULL);
> +
> + keys[0] = pkey_alloc (0, 0);
> + if (keys[0] < 0)
> + {
> + if (errno == ENOSYS)
> + {
> + puts ("warning: kernel does not support memory protection keys");
> + return EXIT_UNSUPPORTED;
> + }
> + if (errno == ENOSPC)
> + {
> + puts ("warning: CPU does not support memory protection keys");
> + return EXIT_UNSUPPORTED;
> + }
> + FAIL_EXIT1 ("pkey_alloc: %m");
> + }
> + TEST_COMPARE (pkey_get (keys[0]), 0);
> + for (int i = 1; i < key_count; ++i)
> + {
> + keys[i] = pkey_alloc (0, i);
> + if (keys[i] < 0)
> + FAIL_EXIT1 ("pkey_alloc (0, %d): %m", i);
> + /* pkey_alloc is supposed to change the current thread's access
> + rights for the new key. */
> + TEST_COMPARE (pkey_get (keys[i]), i);
> + }
> + /* Check that all the keys have the expected access rights for the
> + current thread. */
> + for (int i = 0; i < key_count; ++i)
> + TEST_COMPARE (pkey_get (keys[i]), i);
> +
> + /* Allocate a test page for each key. */
> + for (int i = 0; i < key_count; ++i)
> + {
> + pages[i] = xmmap (NULL, pagesize, PROT_READ | PROT_WRITE,
> + MAP_ANONYMOUS | MAP_PRIVATE, -1);
> + TEST_COMPARE (pkey_mprotect ((void *) pages[i], pagesize,
> + PROT_READ | PROT_WRITE, keys[i]), 0);
> + }
> +
> + /* Check that the initial thread does not have access to the new
> + keys. */
> + {
> + pthread_barrier_wait (&barrier);
> + struct thread_result *result = xpthread_join (initial_thread);
> + for (int i = 0; i < key_count; ++i)
> + TEST_COMPARE (result->access_rights[i],
> + PKEY_DISABLE_ACCESS);
> + struct thread_result *result2 = xpthread_join (result->next_thread);
> + for (int i = 0; i < key_count; ++i)
> + TEST_COMPARE (result->access_rights[i],
> + PKEY_DISABLE_ACCESS);
> + free (result);
> + free (result2);
> + }
> +
> + /* Check that the current thread access rights are inherited by new
> + threads. */
> + {
> + pthread_t get_thread = xpthread_create (NULL, get_thread_func, NULL);
> + struct thread_result *result = xpthread_join (get_thread);
> + for (int i = 0; i < key_count; ++i)
> + TEST_COMPARE (result->access_rights[i], i);
> + free (result);
> + }
> +
> + for (int i = 0; i < key_count; ++i)
> + TEST_COMPARE (pkey_get (keys[i]), i);
> +
> + /* Check that in a signal handler, there is no access. */
> + xsignal (SIGUSR1, &sigusr1_handler);
> + xraise (SIGUSR1);
> + xsignal (SIGUSR1, SIG_DFL);
> + TEST_COMPARE (sigusr1_handler_ran, 1);
> +
> + /* The first key results in a writable page. */
> + TEST_VERIFY (check_page_access (0, false));
> + TEST_VERIFY (check_page_access (0, true));
> +
> + /* The other keys do not. */
> + for (int i = 1; i < key_count; ++i)
> + {
> + if (test_verbose)
> + printf ("info: checking access for key %d, bits 0x%x\n",
> + i, pkey_get (keys[i]));
> + for (int j = 0; j < key_count; ++j)
> + TEST_COMPARE (pkey_get (keys[j]), j);
> + if (i & PKEY_DISABLE_ACCESS)
> + {
> + TEST_VERIFY (!check_page_access (i, false));
> + TEST_VERIFY (!check_page_access (i, true));
> + }
> + else
> + {
> + TEST_VERIFY (i & PKEY_DISABLE_WRITE);
> + TEST_VERIFY (check_page_access (i, false));
> + TEST_VERIFY (!check_page_access (i, true));
> + }
> + }
> +
> + /* But if we set the current thread's access rights, we gain
> + access. */
> + for (int do_write = 0; do_write < 2; ++do_write)
> + for (int allowed_key = 0; allowed_key < key_count; ++allowed_key)
> + {
> + for (int i = 0; i < key_count; ++i)
> + if (i == allowed_key)
> + {
> + if (do_write)
> + TEST_COMPARE (pkey_set (keys[i], 0), 0);
> + else
> + TEST_COMPARE (pkey_set (keys[i], PKEY_DISABLE_WRITE), 0);
> + }
> + else
> + TEST_COMPARE (pkey_set (keys[i], PKEY_DISABLE_ACCESS), 0);
> +
> + if (test_verbose)
> + printf ("info: key %d is allowed access for %s\n",
> + allowed_key, do_write ? "writing" : "reading");
> + for (int i = 0; i < key_count; ++i)
> + if (i == allowed_key)
> + {
> + TEST_VERIFY (check_page_access (i, false));
> + TEST_VERIFY (check_page_access (i, true) == do_write);
> + }
> + else
> + {
> + TEST_VERIFY (!check_page_access (i, false));
> + TEST_VERIFY (!check_page_access (i, true));
> + }
> + }
> +
> +
> + TEST_COMPARE (pkey_free (keys[0]), 0);
> + /* Second pkey_free will fail because the key has already been
> + freed. */
> + TEST_COMPARE (pkey_free (keys[0]),-1);
> + TEST_COMPARE (errno, EINVAL);
> + for (int i = 1; i < key_count; ++i)
> + TEST_COMPARE (pkey_free (keys[i]), 0);
> +
> + for (int i = 0; i < key_count; ++i)
> + xmunmap ((void *) pages[i], pagesize);
> +
> + xpthread_barrier_destroy (&barrier);
> + return 0;
> +}
> +
> +#include <support/test-driver.c>
> diff --git a/sysdeps/unix/sysv/linux/x86_64/64/libc.abilist b/sysdeps/unix/sysv/linux/x86_64/64/libc.abilist
> index 0a4f7797ac..1ea74f9e8c 100644
> --- a/sysdeps/unix/sysv/linux/x86_64/64/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/x86_64/64/libc.abilist
> @@ -1878,6 +1878,11 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
> GLIBC_2.3 GLIBC_2.3 A
> GLIBC_2.3 __ctype_b_loc F
> GLIBC_2.3 __ctype_tolower_loc F
> diff --git a/sysdeps/unix/sysv/linux/x86_64/arch-pkey.h b/sysdeps/unix/sysv/linux/x86_64/arch-pkey.h
> new file mode 100644
> index 0000000000..8e9bfdae96
> --- /dev/null
> +++ b/sysdeps/unix/sysv/linux/x86_64/arch-pkey.h
> @@ -0,0 +1,40 @@
> +/* Helper functions for manipulating memory protection keys.
> + Copyright (C) 2017 Free Software Foundation, Inc.
> + This file is part of the GNU C Library.
> +
> + The GNU C Library is free software; you can redistribute it and/or
> + modify it under the terms of the GNU Lesser General Public
> + License as published by the Free Software Foundation; either
> + version 2.1 of the License, or (at your option) any later version.
> +
> + The GNU C Library is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + Lesser General Public License for more details.
> +
> + You should have received a copy of the GNU Lesser General Public
> + License along with the GNU C Library; if not, see
> + <http://www.gnu.org/licenses/>. */
> +
> +#ifndef _ARCH_PKEY_H
> +#define _ARCH_PKEY_H
> +
> +/* Return the value of the PKRU register. */
> +static inline unsigned int
> +pkey_read (void)
> +{
> + unsigned int result;
> + __asm__ volatile (".byte 0x0f, 0x01, 0xee"
> + : "=a" (result) : "c" (0) : "rdx");
> + return result;
> +}
I think we should also constrain 'edx' since it is explict cleared on
'rdpkru' instruction:
static inline unsigned int
pkey_read (void)
{
unsigned int result, edx;
__asm__ volatile (".byte 0x0f, 0x01, 0xee"
: "=a" (result), "=d" (edx)
: "c" (0));
return result;
}
> +
> +/* Overwrite the PKRU register with VALUE. */
> +static inline void
> +pkey_write (unsigned int value)
> +{
> + __asm__ volatile (".byte 0x0f, 0x01, 0xef"
> + : : "a" (value), "c" (0), "d" (0));
> +}
> +
> +#endif /* _ARCH_PKEY_H */
> diff --git a/sysdeps/unix/sysv/linux/x86_64/pkey_get.c b/sysdeps/unix/sysv/linux/x86_64/pkey_get.c
> new file mode 100644
> index 0000000000..3a9bfbe676
> --- /dev/null
> +++ b/sysdeps/unix/sysv/linux/x86_64/pkey_get.c
> @@ -0,0 +1,33 @@
> +/* Reading the per-thread memory protection key, x86_64 version.
> + Copyright (C) 2017 Free Software Foundation, Inc.
> + This file is part of the GNU C Library.
> +
> + The GNU C Library is free software; you can redistribute it and/or
> + modify it under the terms of the GNU Lesser General Public
> + License as published by the Free Software Foundation; either
> + version 2.1 of the License, or (at your option) any later version.
> +
> + The GNU C Library is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + Lesser General Public License for more details.
> +
> + You should have received a copy of the GNU Lesser General Public
> + License along with the GNU C Library; if not, see
> + <http://www.gnu.org/licenses/>. */
> +
> +#include <arch-pkey.h>
> +#include <errno.h>
> +
> +int
> +pkey_get (int key)
> +{
> + if (key < 0 || key > 15)
> + {
> + __set_errno (EINVAL);
> + return -1;
> + }
> + unsigned int pkru = pkey_read ();
> + return (pkru >> (2 * key)) & 3;
> + return 0;
> +}
I think the kernel example to implement pkey_get is more parametrized and
may lead to a more portable code if the idea is to extend this syscalls
to other architectures than x86. It adds a arch-specific PKRU_BITS_PER_PKEY
and sets the mask based on current supported flags (which I think won't
be extended at least for x86 since there is no more available unused bits):
uint32_t mask = (PKEY_DISABLE_ACCESS|PKEY_DISABLE_WRITE);
uint32_t pkru = pkey_read ();
uint32_t shifted_pkru = (pkru >> (pkey * PKRU_BITS_PER_PKEY));
return (shifted_pkru & mask);
I think we can on arch-pkey.h two macros:
PKRU_BITS_PER_PKEY - number of bits for the pkey
PKRU_BITS_MASK - mask to get the bits
My idea is if eventually this syscalls is used on another architecture
it will follow similat semanthic (otherwise a different method might
lead to different syscalls) and by paratrizing it we can add a generic
interface for Linux instead of multiple implementations with similar
code.
> diff --git a/sysdeps/unix/sysv/linux/x86_64/pkey_set.c b/sysdeps/unix/sysv/linux/x86_64/pkey_set.c
> new file mode 100644
> index 0000000000..91dffd22c3
> --- /dev/null
> +++ b/sysdeps/unix/sysv/linux/x86_64/pkey_set.c
> @@ -0,0 +1,35 @@
> +/* Changing the per-thread memory protection key, x86_64 version.
> + Copyright (C) 2017 Free Software Foundation, Inc.
> + This file is part of the GNU C Library.
> +
> + The GNU C Library is free software; you can redistribute it and/or
> + modify it under the terms of the GNU Lesser General Public
> + License as published by the Free Software Foundation; either
> + version 2.1 of the License, or (at your option) any later version.
> +
> + The GNU C Library is distributed in the hope that it will be useful,
> + but WITHOUT ANY WARRANTY; without even the implied warranty of
> + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> + Lesser General Public License for more details.
> +
> + You should have received a copy of the GNU Lesser General Public
> + License along with the GNU C Library; if not, see
> + <http://www.gnu.org/licenses/>. */
> +
> +#include <arch-pkey.h>
> +#include <errno.h>
> +
> +int
> +pkey_set (int key, unsigned int rights)
> +{
> + if (key < 0 || key > 15 || rights > 3)
> + {
> + __set_errno (EINVAL);
> + return -1;
> + }
> + unsigned int mask = 3 << (2 * key);
> + unsigned int pkru = pkey_read ();
> + pkru = (pkru & ~mask) | (rights << (2 * key));
> + pkey_write (pkru);
> + return 0;
> +}
According to this LWN article [2] and man pages [3], the pkey 0 is set
aside for the default one and this key will never be allocated with
pkey_alloc(), and its restrictions cannot be changed. Assuming this
is still true (since the article is based on non upstream code), what
happen if try issue a pkey_set with a key 0? Does the kernel silent
ignore it or trap with an invalid instruction?
Also, I think we should parametrize it as for pkey_get to try make as
generic as possible.
[1] https://lwn.net/Articles/689395/
[2] http://man7.org/linux/man-pages/man7/pkeys.7.html
> diff --git a/sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist b/sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist
> index 23f6a91429..1d3d598618 100644
> --- a/sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist
> +++ b/sysdeps/unix/sysv/linux/x86_64/x32/libc.abilist
> @@ -2121,3 +2121,8 @@ GLIBC_2.27 GLIBC_2.27 A
> GLIBC_2.27 glob F
> GLIBC_2.27 glob64 F
> GLIBC_2.27 memfd_create F
> +GLIBC_2.27 pkey_alloc F
> +GLIBC_2.27 pkey_free F
> +GLIBC_2.27 pkey_get F
> +GLIBC_2.27 pkey_mprotect F
> +GLIBC_2.27 pkey_set F
>
On 11/06/2017 05:49 PM, Adhemerval Zanella wrote:
>>
>> What's the general feeling about these interfaces? Shall we add them, despite their limitations (especially with regard to key reuse)?
>>
>> Then I'll write documentation.
>
> This is currently only supported on x86 and I am not sure if it will be
> ever used by other architectures, but Linux thinks its interface is
> sufficient generic since it decided to extend it be part of generic
> ABI. I also do not foresee this interface to be deprecated by any other
> soon, so I think it should be a valuable adition.
>
> Do you know any project that is already using it?
I'm not aware of any users. To be honest, I just needed a distraction
over the weekend.
> On 04/11/2017 15:49, Florian Weimer wrote:
>> This adds system call wrappers for pkey_alloc, pkey_free, pkey_mprotect,
>> and x86-64 implementations of pkey_get and pkey_set, which abstract over
>> the PKRU CPU register and hide the actual number of memory protection
>> keys supported by the CPU.
>>
>> The system call wrapers use unsigned int instead of unsigned long for
>> parameters, so that no special treatment for x32 is needed. The flags
>> argument is currently unused, and the access rights bit mask is limited
>> to two bits by the current PKRU register layout anyway.
>
> AFAIK there is no need to special handling of unsigned long, which is
> 32 bits on x32. There were issues of using {INLINE,INTERNAL}_SYSCALL
> along with 64 bits arguments (off_t for instance) and it should be fixed
> by 78ca091cdd2c. The only special handling is required for syscalls that
> return 64 bits arguments, for instance 'times', which can't be handled
> by {INLINE,INTERNAL}_SYSCALLS (x32 times.c get around by redefining
> internal_syscall1 to return a 64 bits value).
Oh, I was worried that these arguments were expected to be true 64-bit
values eventually. Not today, but perhaps in the future. Then using
unsigned long would be no good on x32. But this does not seem to be the
case, so we can just use unsigned int, to make clear that these
arguments are actually 32 bits only.
> So I think there is no reason to use a different symbol signature than
> kernel.
I still think using unsigned long should be avoided.
>> +/* Compare the two numbers LEFT and RIGHT and report failure if they
>> + are different. */
>> +#define TEST_COMPARE(left, right) \
>> + ({ \
>> + __typeof__ (left) __left_value = (left); \
>> + __typeof__ (right) __right_value = (right); \
>> + _Static_assert (sizeof (__left_value) <= sizeof (long long), \
>> + "left value fits into long long"); \
>> + _Static_assert (sizeof (__right_value) <= sizeof (long long), \
>> + "right value fits into long long"); \
>> + if (__left_value != __right_value \
>> + || ((__left_value > 0) != (__right_value > 0))) \
>> + support_test_compare_failure \
>> + (__FILE__, __LINE__, \
>> + #left, __left_value, __left_value > 0, \
>> + #right, __right_value, __right_value > 0); \
>> + })
>> +
>
> I think the macro name should be more explicit since it is not only
> comparing two number but also their size.
Huh? No, it checks that conversion to long long plus the sign bit is
not lossy and that the signs match. So I think the name is accurate.
>
>> +/* Internal implementation of TEST_COMPARE. LEFT_POSITIVE and
>> + RIGHT_POSITIVE are used to fit both unsigned long long and long
>> + long arguments into LEFT_VALUE and RIGHT_VALUE. */
>> +void support_test_compare_failure (const char *file, int line,
>> + const char *left_expr,
>> + long long left_value,
>> + int left_positive,
>> + const char *right_expr,
>> + long long right_value,
>> + int right_positive);
>> +
>> /* Internal function called by the test driver. */
>> int support_report_failure (int status)
>> __attribute__ ((weak, warn_unused_result));
>> diff --git a/support/support_test_compare_failure.c b/support/support_test_compare_failure.c
>> new file mode 100644
>> index 0000000000..38fec1ca89
>> --- /dev/null
>> +++ b/support/support_test_compare_failure.c
>> @@ -0,0 +1,46 @@
>> +/* Reporting mumeric comparison failure.
>
> Typo.
Thanks, fixed.
>> diff --git a/sysdeps/unix/sysv/linux/bits/mman-linux.h b/sysdeps/unix/sysv/linux/bits/mman-linux.h
>> index b091181960..da5ec79334 100644
>> --- a/sysdeps/unix/sysv/linux/bits/mman-linux.h
>> +++ b/sysdeps/unix/sysv/linux/bits/mman-linux.h
>> @@ -109,3 +109,38 @@
>> # define MCL_ONFAULT 4 /* Lock all pages that are
>> faulted in. */
>> #endif
>> +
>> +/* Memory protection key support. */
>> +#ifdef __USE_GNU
>> +
>> +/* FLags for pkey_alloc. */
>> +# define PKEY_DISABLE_ACCESS 0x1
>> +# define PKEY_DISABLE_WRITE 0x2
>
> Typo on 'FLags'.
Fixed.
>> diff --git a/sysdeps/unix/sysv/linux/syscalls.list b/sysdeps/unix/sysv/linux/syscalls.list
>> index 40c4fbb9ea..6f657eea2e 100644
>> --- a/sysdeps/unix/sysv/linux/syscalls.list
>> +++ b/sysdeps/unix/sysv/linux/syscalls.list
>> @@ -110,3 +110,6 @@ setns EXTRA setns i:ii setns
>> process_vm_readv EXTRA process_vm_readv i:ipipii process_vm_readv
>> process_vm_writev EXTRA process_vm_writev i:ipipii process_vm_writev
>> memfd_create EXTRA memfd_create i:si memfd_create
>> +pkey_alloc EXTRA pkey_alloc i:ii pkey_alloc
>> +pkey_free EXTRA pkey_free i:i pkey_free
>> +pkey_mprotect EXTRA pkey_mprotect i:aiii pkey_mprotect
>
> I do not think we can them as default since build against kernel headers
> older than v4.9 won't have __NR_pkey_{alloc,free,mprotect). We need
> default implementation with #ifdef __NR_....
Hmm. I checked that we'd fall back to an ENOSYS stub, but this was for
memfd_create, which had the stub in the generic API. That won't apply
here, so I will have to rework this a bit.
I will sent an updated patch.
>> +/* Return the value of the PKRU register. */
>> +static inline unsigned int
>> +pkey_read (void)
>> +{
>> + unsigned int result;
>> + __asm__ volatile (".byte 0x0f, 0x01, 0xee"
>> + : "=a" (result) : "c" (0) : "rdx");
>> + return result;
>> +}
>
> I think we should also constrain 'edx' since it is explict cleared on
> 'rdpkru' instruction:
>
> static inline unsigned int
> pkey_read (void)
> {
> unsigned int result, edx;
> __asm__ volatile (".byte 0x0f, 0x01, 0xee"
> : "=a" (result), "=d" (edx)
> : "c" (0));
> return result;
> }
I think the clobber for rdx takes care of that.
> I think the kernel example to implement pkey_get is more parametrized and
> may lead to a more portable code if the idea is to extend this syscalls
> to other architectures than x86. It adds a arch-specific PKRU_BITS_PER_PKEY
> and sets the mask based on current supported flags (which I think won't
> be extended at least for x86 since there is no more available unused bits):
Sorry, I disagree with that. Premature generalization usually does not
work out because you don't know which parts to generalize.
If we get key revocation on pkey_alloc, pkey_set would have to turn into
a vsyscall anyway (where the code sequence is known to the kernel, and
the revocation code can override the PKRU value the pkey_set
implementation has read, thus closing the race).
>> +int
>> +pkey_set (int key, unsigned int rights)
>> +{
>> + if (key < 0 || key > 15 || rights > 3)
>> + {
>> + __set_errno (EINVAL);
>> + return -1;
>> + }
>> + unsigned int mask = 3 << (2 * key);
>> + unsigned int pkru = pkey_read ();
>> + pkru = (pkru & ~mask) | (rights << (2 * key));
>> + pkey_write (pkru);
>> + return 0;
>> +}
>
> According to this LWN article [2] and man pages [3], the pkey 0 is set
> aside for the default one and this key will never be allocated with
> pkey_alloc(), and its restrictions cannot be changed. Assuming this
> is still true (since the article is based on non upstream code), what
> happen if try issue a pkey_set with a key 0? Does the kernel silent
> ignore it or trap with an invalid instruction?
I think userspace can write whatever it wants to the PKRU register. The
register update is always valid. It's just that some values will not be
very useful.
I added
TEST_COMPARE (pkey_set (0, PKEY_DISABLE_WRITE), 0);
to the test case, and it crashes here:
0x00000000004023c3 <+2083>: xor %edi,%edi
0x00000000004023c5 <+2085>: mov $0x2,%esi
0x00000000004023ca <+2090>: callq 0x4013d0 <pkey_set@plt>
0x00000000004023cf <+2095>: cmp $0x0,%eax
0x00000000004023d2 <+2098>: jne 0x4026d0 <do_test+2864>
0x00000000004023d8 <+2104>: mov $0x6062e0,%ebx
0x00000000004023dd <+2109>: mov (%rbx),%rdi
0x00000000004023e0 <+2112>: mov %r12,%rsi
0x00000000004023e3 <+2115>: add $0x8,%rbx
=> 0x00000000004023e7 <+2119>: callq 0x403730 <xmunmap>
This is the first memory write after the PKRU update. It is exactly
what I expected because the stack has key 0, and we revoked write
access. With PKEY_DISABLE_ACCESS, things get a bit weird because the
coredump writer can't read the memory. But with single-stepping, I was
able to confirm that the SIGSEGV happens on the retq instruction in
pkey_set, which is again as expected.
So I don't think we need to document key 0 as special in any way. It is
just a key that will never be returned from pkey_alloc, so unexpected
things may happen. I think key 1 is currently special as well because
it is PKEY_DISABLE_ACCESS, and execute-only mappings will use that.
Thanks,
Florian
On 06/11/2017 18:01, Florian Weimer wrote:
> On 11/06/2017 05:49 PM, Adhemerval Zanella wrote:
>>>
>>> What's the general feeling about these interfaces? Shall we add them, despite their limitations (especially with regard to key reuse)?
>>>
>>> Then I'll write documentation.
>>
>> This is currently only supported on x86 and I am not sure if it will be
>> ever used by other architectures, but Linux thinks its interface is
>> sufficient generic since it decided to extend it be part of generic
>> ABI. I also do not foresee this interface to be deprecated by any other
>> soon, so I think it should be a valuable adition.
>>
>> Do you know any project that is already using it?
>
> I'm not aware of any users. To be honest, I just needed a distraction over the weekend.
>
>> On 04/11/2017 15:49, Florian Weimer wrote:
>>> This adds system call wrappers for pkey_alloc, pkey_free, pkey_mprotect,
>>> and x86-64 implementations of pkey_get and pkey_set, which abstract over
>>> the PKRU CPU register and hide the actual number of memory protection
>>> keys supported by the CPU.
>>>
>>> The system call wrapers use unsigned int instead of unsigned long for
>>> parameters, so that no special treatment for x32 is needed. The flags
>>> argument is currently unused, and the access rights bit mask is limited
>>> to two bits by the current PKRU register layout anyway.
>>
>> AFAIK there is no need to special handling of unsigned long, which is
>> 32 bits on x32. There were issues of using {INLINE,INTERNAL}_SYSCALL
>> along with 64 bits arguments (off_t for instance) and it should be fixed
>> by 78ca091cdd2c. The only special handling is required for syscalls that
>> return 64 bits arguments, for instance 'times', which can't be handled
>> by {INLINE,INTERNAL}_SYSCALLS (x32 times.c get around by redefining
>> internal_syscall1 to return a 64 bits value).
>
> Oh, I was worried that these arguments were expected to be true 64-bit values eventually. Not today, but perhaps in the future.  Then using unsigned long would be no good on x32. But this does not seem to be the case, so we can just use unsigned int, to make clear that these arguments are actually 32 bits only.
Even they were 64 bits argument, current {INLINE,INTERNAL}_SYSCALL on
x32 pass them correctly in syscall arguments.
>
>> So I think there is no reason to use a different symbol signature than
>> kernel.
>
> I still think using unsigned long should be avoided.
Is your objection because it will have different argument types for 32
and 64 bits? Currently for x86 indeed it does not make difference since
for 'wrpkru' instruction on x86_64 the high-order 32-bits of RCX, RDX
and RAX are ignored.
But if we aim to make it a generic API I think we should stick to what
kernel provides for main reason we can not foresee what kind of usage
future architecture might do with this value.
>
>>> +/* Compare the two numbers LEFT and RIGHT and report failure if they
>>> +  are different. */
>>> +#define TEST_COMPARE(left, right)Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>> +Â ({Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>> +Â Â Â __typeof__ (left) __left_value = (left);Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>> +Â Â Â __typeof__ (right) __right_value = (right);Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>> +   _Static_assert (sizeof (__left_value) <= sizeof (long long),       \
>>> +Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â "left value fits into long long");Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>> +   _Static_assert (sizeof (__right_value) <= sizeof (long long),      \
>>> +Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â "right value fits into long long");Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>> +   if (__left_value != __right_value                                  \
>>> +Â Â Â Â Â Â Â || ((__left_value > 0) != (__right_value > 0)))Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>> +     support_test_compare_failure                                     \
>>> +       (__FILE__, __LINE__,                                           \
>>> +        #left, __left_value, __left_value > 0,                        \
>>> +Â Â Â Â Â Â Â Â #right, __right_value, __right_value > 0);Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>> +Â })
>>> +
>>
>> I think the macro name should be more explicit since it is not only
>> comparing two number but also their size.
>
> Huh? No, it checks that conversion to long long plus the sign bit is not lossy and that the signs match. So I think the name is accurate.
Yeah, but it ties some type (long long) and also some sign (since it
is comparing if both sides are positive) to a quite generic name.
Maybe TEST_COMPARE_LL_INT_POSITIVE?
>
>>
>>> +/* Internal implementation of TEST_COMPARE. LEFT_POSITIVE and
>>> +Â Â RIGHT_POSITIVE are used to fit both unsigned long long and long
>>> +  long arguments into LEFT_VALUE and RIGHT_VALUE. */
>>> +void support_test_compare_failure (const char *file, int line,
>>> +Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â const char *left_expr,
>>> +Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â long long left_value,
>>> +Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â int left_positive,
>>> +Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â const char *right_expr,
>>> +Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â long long right_value,
>>> +Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â int right_positive);
>>> +
>>>  /* Internal function called by the test driver. */
>>> Â int support_report_failure (int status)
>>> Â Â Â __attribute__ ((weak, warn_unused_result));
>>> diff --git a/support/support_test_compare_failure.c b/support/support_test_compare_failure.c
>>> new file mode 100644
>>> index 0000000000..38fec1ca89
>>> --- /dev/null
>>> +++ b/support/support_test_compare_failure.c
>>> @@ -0,0 +1,46 @@
>>> +/* Reporting mumeric comparison failure.
>>
>> Typo.
>
> Thanks, fixed.
>
>>> diff --git a/sysdeps/unix/sysv/linux/bits/mman-linux.h b/sysdeps/unix/sysv/linux/bits/mman-linux.h
>>> index b091181960..da5ec79334 100644
>>> --- a/sysdeps/unix/sysv/linux/bits/mman-linux.h
>>> +++ b/sysdeps/unix/sysv/linux/bits/mman-linux.h
>>> @@ -109,3 +109,38 @@
>>> Â # define MCL_ONFAULTÂ Â Â 4Â Â Â Â Â Â Â /* Lock all pages that are
>>>                         faulted in. */
>>> Â #endif
>>> +
>>> +/* Memory protection key support. */
>>> +#ifdef __USE_GNU
>>> +
>>> +/* FLags for pkey_alloc. */
>>> +# define PKEY_DISABLE_ACCESS 0x1
>>> +# define PKEY_DISABLE_WRITE 0x2
>>
>> Typo on 'FLags'.
>
> Fixed.
>
>>> diff --git a/sysdeps/unix/sysv/linux/syscalls.list b/sysdeps/unix/sysv/linux/syscalls.list
>>> index 40c4fbb9ea..6f657eea2e 100644
>>> --- a/sysdeps/unix/sysv/linux/syscalls.list
>>> +++ b/sysdeps/unix/sysv/linux/syscalls.list
>>> @@ -110,3 +110,6 @@ setns       EXTRA   setns       i:ii   setns
>>> Â process_vm_readv EXTRAÂ Â Â process_vm_readv i:ipipii process_vm_readv
>>> Â process_vm_writev EXTRAÂ Â Â process_vm_writev i:ipipii process_vm_writev
>>>  memfd_create   EXTRA   memfd_create   i:si   memfd_create
>>> +pkey_alloc   EXTRA   pkey_alloc   i:ii   pkey_alloc
>>> +pkey_free   EXTRA   pkey_free   i:i   pkey_free
>>> +pkey_mprotect   EXTRA   pkey_mprotect   i:aiii pkey_mprotect
>>
>> I do not think we can them as default since build against kernel headers
>> older than v4.9 won't have __NR_pkey_{alloc,free,mprotect). We need
>> default implementation with #ifdef __NR_....
>
> Hmm. I checked that we'd fall back to an ENOSYS stub, but this was for memfd_create, which had the stub in the generic API. That won't apply here, so I will have to rework this a bit.
>
> I will sent an updated patch.
>
>>> +/* Return the value of the PKRU register. */
>>> +static inline unsigned int
>>> +pkey_read (void)
>>> +{
>>> +Â unsigned int result;
>>> +Â __asm__ volatile (".byte 0x0f, 0x01, 0xee"
>>> +Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â : "=a" (result) : "c" (0) : "rdx");
>>> +Â return result;
>>> +}
>>
>> I think we should also constrain 'edx' since it is explict cleared on
>> 'rdpkru' instruction:
>>
>> Â Â static inline unsigned int
>> Â Â pkey_read (void)
>> Â Â {
>> Â Â Â Â unsigned int result, edx;
>> Â Â Â Â __asm__ volatile (".byte 0x0f, 0x01, 0xee"
>> Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â : "=a" (result), "=d" (edx)
>> Â Â Â Â Â Â Â Â Â Â Â Â Â : "c" (0));
>> Â Â Â Â return result;
>> Â Â }
>
> I think the clobber for rdx takes care of that.
>
>> I think the kernel example to implement pkey_get is more parametrized and
>> may lead to a more portable code if the idea is to extend this syscalls
>> to other architectures than x86. It adds a arch-specific PKRU_BITS_PER_PKEY
>> and sets the mask based on current supported flags (which I think won't
>> be extended at least for x86 since there is no more available unused bits):
>
> Sorry, I disagree with that. Premature generalization usually does not work out because you don't know which parts to generalize.
>
> If we get key revocation on pkey_alloc, pkey_set would have to turn into a vsyscall anyway (where the code sequence is known to the kernel, and the revocation code can override the PKRU value the pkey_set implementation has read, thus closing the race).
Alright, that is fair point. I am thinking more about the sense of
what should be generic such a maximum number of bits for the mask,
the possible mask value and to set them on the internal flag. But
I think if it were the case in the future we can work a more generic
implementation.
>
>>> +int
>>> +pkey_set (int key, unsigned int rights)
>>> +{
>>> +Â if (key < 0 || key > 15 || rights > 3)
>>> +Â Â Â {
>>> +Â Â Â Â Â __set_errno (EINVAL);
>>> +Â Â Â Â Â return -1;
>>> +Â Â Â }
>>> +Â unsigned int mask = 3 << (2 * key);
>>> +Â unsigned int pkru = pkey_read ();
>>> +Â pkru = (pkru & ~mask) | (rights << (2 * key));
>>> +Â pkey_write (pkru);
>>> +Â return 0;
>>> +}
>>
>> According to this LWN article [2] and man pages [3], the pkey 0 is set
>> aside for the default one and this key will never be allocated with
>> pkey_alloc(), and its restrictions cannot be changed. Assuming this
>> is still true (since the article is based on non upstream code), what
>> happen if try issue a pkey_set with a key 0? Does the kernel silent
>> ignore it or trap with an invalid instruction?
>
> I think userspace can write whatever it wants to the PKRU register. The register update is always valid. It's just that some values will not be very useful.
>
> I added
>
> Â TEST_COMPARE (pkey_set (0, PKEY_DISABLE_WRITE), 0);
>
> to the test case, and it crashes here:
>
>   0x00000000004023c3 <+2083>: xor   %edi,%edi
>   0x00000000004023c5 <+2085>: mov   $0x2,%esi
>   0x00000000004023ca <+2090>: callq 0x4013d0 <pkey_set@plt>
>   0x00000000004023cf <+2095>: cmp   $0x0,%eax
>   0x00000000004023d2 <+2098>: jne   0x4026d0 <do_test+2864>
>   0x00000000004023d8 <+2104>: mov   $0x6062e0,%ebx
>   0x00000000004023dd <+2109>: mov   (%rbx),%rdi
>   0x00000000004023e0 <+2112>: mov   %r12,%rsi
>   0x00000000004023e3 <+2115>: add   $0x8,%rbx
> => 0x00000000004023e7 <+2119>: callq 0x403730 <xmunmap>
>
> This is the first memory write after the PKRU update. It is exactly what I expected because the stack has key 0, and we revoked write access. With PKEY_DISABLE_ACCESS, things get a bit weird because the coredump writer can't read the memory. But with single-stepping, I was able to confirm that the SIGSEGV happens on the retq instruction in pkey_set, which is again as expected.
>
> So I don't think we need to document key 0 as special in any way. It is just a key that will never be returned from pkey_alloc, so unexpected things may happen. I think key 1 is currently special as well because it is PKEY_DISABLE_ACCESS, and execute-only mappings will use that.
>
> Thanks,
> Florian
What about new pkey_mprotect (..., 0) after pkey_set (0, ...)? Will it follow
the new key setting for key 0 or kernel will use a default value?
My question is of you think we need to filter and/or document key 0 (and 1 as
you indicate) as being special?
* Adhemerval Zanella:
>> Oh, I was worried that these arguments were expected to be true
>> 64-bit values eventually. Not today, but perhaps in the future. Â
>> Then using unsigned long would be no good on x32. But this does not
>> seem to be the case, so we can just use unsigned int, to make clear
>> that these arguments are actually 32 bits only.
>
> Even they were 64 bits argument, current {INLINE,INTERNAL}_SYSCALL on
> x32 pass them correctly in syscall arguments.
But there would only be 32 bits to pass.
>>> So I think there is no reason to use a different symbol signature than
>>> kernel.
>>
>> I still think using unsigned long should be avoided.
>
> Is your objection because it will have different argument types for 32
> and 64 bits?
Yes, if 64 bits were needed, then it would have to be unsigned long
long on x32. But we need only 32 actually (0 and 3 bits for the
upcoming POWER support), so unsigned int is the right type, I think.
> Currently for x86 indeed it does not make difference since for
> 'wrpkru' instruction on x86_64 the high-order 32-bits of RCX, RDX
> and RAX are ignored.
The size of the PKRU register does not matter. pkey_alloc does not
use a bitmap of keys, it returns a key number (which happens to be an
index into PKRU on x86-64, but this is not exposed in the API).
> But if we aim to make it a generic API I think we should stick to
> what kernel provides for main reason we can not foresee what kind of
> usage future architecture might do with this value.
Well, it's a generic interface, so if there's an expectation that the
generic code might eventually use a flag beyond 32 bits, we'd better
using uint64_t today. But that seems quite an overkill.
>>>> +/* Compare the two numbers LEFT and RIGHT and report failure if they
>>>> +  are different. */
>>>> +#define TEST_COMPARE(left, right)Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>>> +Â ({Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>>> +Â Â Â __typeof__ (left) __left_value = (left);Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>>> +Â Â Â __typeof__ (right) __right_value = (right);Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>>> +   _Static_assert (sizeof (__left_value) <= sizeof (long long),       \
>>>> +Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â "left value fits into long long");Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>>> +   _Static_assert (sizeof (__right_value) <= sizeof (long long),      \
>>>> +Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â "right value fits into long long");Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>>> +   if (__left_value != __right_value                                  \
>>>> +Â Â Â Â Â Â Â || ((__left_value > 0) != (__right_value > 0)))Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>>> +     support_test_compare_failure                                     \
>>>> +       (__FILE__, __LINE__,                                           \
>>>> +        #left, __left_value, __left_value > 0,                        \
>>>> +Â Â Â Â Â Â Â Â #right, __right_value, __right_value > 0);Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>>> +Â })
>>>> +
>>>
>>> I think the macro name should be more explicit since it is not only
>>> comparing two number but also their size.
>>
>> Huh? No, it checks that conversion to long long plus the sign bit
>> is not lossy and that the signs match. So I think the name is
>> accurate.
>
> Yeah, but it ties some type (long long) and also some sign (since it
> is comparing if both sides are positive) to a quite generic name.
> Maybe TEST_COMPARE_LL_INT_POSITIVE?
It uses long long as a proxy for intmax_t. I don't want to include
<inttypes.h> due to namespace pollution.
The compile-time check is there to prevent the accidental use of the
macro with 128-bit integer types.
>> Sorry, I disagree with that. Premature generalization usually does
>> not work out because you don't know which parts to generalize.
>>
>> If we get key revocation on pkey_alloc, pkey_set would have to turn
>> into a vsyscall anyway (where the code sequence is known to the
>> kernel, and the revocation code can override the PKRU value the
>> pkey_set implementation has read, thus closing the race).
>
> Alright, that is fair point. I am thinking more about the sense of
> what should be generic such a maximum number of bits for the mask,
> the possible mask value and to set them on the internal flag. But
> I think if it were the case in the future we can work a more generic
> implementation.
I just saw POWER patches fly by. There, the executable permission
seems to be in a separate register which cannot be updated directly
from userspace. 8-/
> What about new pkey_mprotect (..., 0) after pkey_set (0, ...)? Will
> it follow the new key setting for key 0 or kernel will use a default
> value?
It's important that the keys are basically additional tag bits on a
page. In isolation they do not grant or reject access. These tag
bits only select which access rights associated with the current
thread should be applied to the page. So pkey_mprotect and pkey_set
are completely indepedent: pkey_mprotect changes the tag bits on the
page (but nothing else) and does not depend on the current thread's
access rights, and pkey_set changes the current thread's access rights
only (without changing the page tag bits set by pkey_mprotect before
or after). Crucially, these keys do not any additional protection
flags to pages. The tag bits gain meaning only in combination with
the access rights of a running thread.
> My question is of you think we need to filter and/or document key 0
> (and 1 as you indicate) as being special?
No, we shouldn't do that. The kernel will do it for us as part of
pkey_alloc, and that should be sufficient.
On Mon, 6 Nov 2017, Florian Weimer wrote:
> > > diff --git a/sysdeps/unix/sysv/linux/syscalls.list
> > > b/sysdeps/unix/sysv/linux/syscalls.list
> > > index 40c4fbb9ea..6f657eea2e 100644
> > > --- a/sysdeps/unix/sysv/linux/syscalls.list
> > > +++ b/sysdeps/unix/sysv/linux/syscalls.list
> > > @@ -110,3 +110,6 @@ setns EXTRA setns i:ii setns
> > > process_vm_readv EXTRA process_vm_readv i:ipipii process_vm_readv
> > > process_vm_writev EXTRA process_vm_writev i:ipipii process_vm_writev
> > > memfd_create EXTRA memfd_create i:si memfd_create
> > > +pkey_alloc EXTRA pkey_alloc i:ii pkey_alloc
> > > +pkey_free EXTRA pkey_free i:i pkey_free
> > > +pkey_mprotect EXTRA pkey_mprotect i:aiii pkey_mprotect
> >
> > I do not think we can them as default since build against kernel headers
> > older than v4.9 won't have __NR_pkey_{alloc,free,mprotect). We need
> > default implementation with #ifdef __NR_....
>
> Hmm. I checked that we'd fall back to an ENOSYS stub, but this was for
> memfd_create, which had the stub in the generic API. That won't apply here,
> so I will have to rework this a bit.
I'd expect the stub-syscalls code in sysdeps/unix/Makefile to apply here.
These entries are essentially much like the bdflush one, which exercises
the ENOSYS generation on x86_64 as a syscall not existing there.
On 06/11/2017 20:59, Joseph Myers wrote:
> On Mon, 6 Nov 2017, Florian Weimer wrote:
>
>>>> diff --git a/sysdeps/unix/sysv/linux/syscalls.list
>>>> b/sysdeps/unix/sysv/linux/syscalls.list
>>>> index 40c4fbb9ea..6f657eea2e 100644
>>>> --- a/sysdeps/unix/sysv/linux/syscalls.list
>>>> +++ b/sysdeps/unix/sysv/linux/syscalls.list
>>>> @@ -110,3 +110,6 @@ setns EXTRA setns i:ii setns
>>>> process_vm_readv EXTRA process_vm_readv i:ipipii process_vm_readv
>>>> process_vm_writev EXTRA process_vm_writev i:ipipii process_vm_writev
>>>> memfd_create EXTRA memfd_create i:si memfd_create
>>>> +pkey_alloc EXTRA pkey_alloc i:ii pkey_alloc
>>>> +pkey_free EXTRA pkey_free i:i pkey_free
>>>> +pkey_mprotect EXTRA pkey_mprotect i:aiii pkey_mprotect
>>>
>>> I do not think we can them as default since build against kernel headers
>>> older than v4.9 won't have __NR_pkey_{alloc,free,mprotect). We need
>>> default implementation with #ifdef __NR_....
>>
>> Hmm. I checked that we'd fall back to an ENOSYS stub, but this was for
>> memfd_create, which had the stub in the generic API. That won't apply here,
>> so I will have to rework this a bit.
>
> I'd expect the stub-syscalls code in sysdeps/unix/Makefile to apply here.
> These entries are essentially much like the bdflush one, which exercises
> the ENOSYS generation on x86_64 as a syscall not existing there.
>
Indeed this is what happens for non defined __NR_ syscalls, sorry for the trouble.
On 06/11/2017 20:03, Florian Weimer wrote:
> * Adhemerval Zanella:
>
>>> Oh, I was worried that these arguments were expected to be true
>>> 64-bit values eventually. Not today, but perhaps in the future. Â
>>> Then using unsigned long would be no good on x32. But this does not
>>> seem to be the case, so we can just use unsigned int, to make clear
>>> that these arguments are actually 32 bits only.
>>
>> Even they were 64 bits argument, current {INLINE,INTERNAL}_SYSCALL on
>> x32 pass them correctly in syscall arguments.
>
> But there would only be 32 bits to pass.
>
>>>> So I think there is no reason to use a different symbol signature than
>>>> kernel.
>>>
>>> I still think using unsigned long should be avoided.
>>
>> Is your objection because it will have different argument types for 32
>> and 64 bits?
>
> Yes, if 64 bits were needed, then it would have to be unsigned long
> long on x32. But we need only 32 actually (0 and 3 bits for the
> upcoming POWER support), so unsigned int is the right type, I think.
Right, I would like to try deviate as little as possible from the
kernel but I think we can have a different signature for these function.
>
>> Currently for x86 indeed it does not make difference since for
>> 'wrpkru' instruction on x86_64 the high-order 32-bits of RCX, RDX
>> and RAX are ignored.
>
> The size of the PKRU register does not matter. pkey_alloc does not
> use a bitmap of keys, it returns a key number (which happens to be an
> index into PKRU on x86-64, but this is not exposed in the API).
>
>> But if we aim to make it a generic API I think we should stick to
>> what kernel provides for main reason we can not foresee what kind of
>> usage future architecture might do with this value.
>
> Well, it's a generic interface, so if there's an expectation that the
> generic code might eventually use a flag beyond 32 bits, we'd better
> using uint64_t today. But that seems quite an overkill.
Ok, seems a reasonable approach.
>
>>>>> +/* Compare the two numbers LEFT and RIGHT and report failure if they
>>>>> +  are different. */
>>>>> +#define TEST_COMPARE(left, right)Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>>>> +Â ({Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>>>> +Â Â Â __typeof__ (left) __left_value = (left);Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>>>> +Â Â Â __typeof__ (right) __right_value = (right);Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>>>> +   _Static_assert (sizeof (__left_value) <= sizeof (long long),       \
>>>>> +Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â "left value fits into long long");Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>>>> +   _Static_assert (sizeof (__right_value) <= sizeof (long long),      \
>>>>> +Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â "right value fits into long long");Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>>>> +   if (__left_value != __right_value                                  \
>>>>> +Â Â Â Â Â Â Â || ((__left_value > 0) != (__right_value > 0)))Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>>>> +     support_test_compare_failure                                     \
>>>>> +       (__FILE__, __LINE__,                                           \
>>>>> +        #left, __left_value, __left_value > 0,                        \
>>>>> +Â Â Â Â Â Â Â Â #right, __right_value, __right_value > 0);Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â \
>>>>> +Â })
>>>>> +
>>>>
>>>> I think the macro name should be more explicit since it is not only
>>>> comparing two number but also their size.
>>>
>>> Huh? No, it checks that conversion to long long plus the sign bit
>>> is not lossy and that the signs match. So I think the name is
>>> accurate.
>>
>> Yeah, but it ties some type (long long) and also some sign (since it
>> is comparing if both sides are positive) to a quite generic name.
>> Maybe TEST_COMPARE_LL_INT_POSITIVE?
>
> It uses long long as a proxy for intmax_t. I don't want to include
> <inttypes.h> due to namespace pollution.
>
> The compile-time check is there to prevent the accidental use of the
> macro with 128-bit integer types.
Ok, would you mind adding this comment on macro implementation?
>
>>> Sorry, I disagree with that. Premature generalization usually does
>>> not work out because you don't know which parts to generalize.
>>>
>>> If we get key revocation on pkey_alloc, pkey_set would have to turn
>>> into a vsyscall anyway (where the code sequence is known to the
>>> kernel, and the revocation code can override the PKRU value the
>>> pkey_set implementation has read, thus closing the race).
>>
>> Alright, that is fair point. I am thinking more about the sense of
>> what should be generic such a maximum number of bits for the mask,
>> the possible mask value and to set them on the internal flag. But
>> I think if it were the case in the future we can work a more generic
>> implementation.
>
> I just saw POWER patches fly by. There, the executable permission
> seems to be in a separate register which cannot be updated directly
> from userspace. 8-/
It is at v9 now [1] (and you seems to be already aware since you replied
about key reuse issue). And they are solving the executable permission
userspace issue it by adding a new syscall (__NR_pkey_modify).
Reading powerpc patchset it seems to me that it will be worth add
some generalization on arch-pkey.h and pkey_{set,get}
- Based on current patchset, powerpc seems to define different
value for PKEY_DISABLE_ACCESS, so I think it would be worth
to parametrize by moving it to arch-defined header.
- What about adding this on arch-pkey.h
---
#define HAVE_ARCH_PKEY 1
#define NR_PKEYS 16
#define PKEY_BITS_PER_PKEY 2
static inline uint32_t
pkey_shift (uint32_t pkey)
{
return pkey * PKEY_BITS_PER_PKEY;
}
---
And define as pkey_get:
---
uint32_t pkey_get (int pkey, unsigned long flags)
{
#if HAVE_ARCH_PKEY
uint32_t mask = (PKEY_DISABLE_ACCESS|PKEY_DISABLE_WRITE);
pkey_reg_t pkey_reg = pkey_read ();
pkey_reg_t pkey_shifted = pkey_reg >> pkey_shift (pkey);
return pkey_shifted & mask;
#else
return -1;
#endif
}
---
With this a possible future powerpc patch would just need to
add code on arch-pkey.h instead of reimplement pkey_set.c as
well.
- I would expect something similar to pkey_set, but also issuing
the syscall for executable permission masking.
[1] https://lists.ozlabs.org/pipermail/linuxppc-dev/2017-November/165602.html
>
>> What about new pkey_mprotect (..., 0) after pkey_set (0, ...)? Will
>> it follow the new key setting for key 0 or kernel will use a default
>> value?
>
> It's important that the keys are basically additional tag bits on a
> page. In isolation they do not grant or reject access. These tag
> bits only select which access rights associated with the current
> thread should be applied to the page. So pkey_mprotect and pkey_set
> are completely indepedent: pkey_mprotect changes the tag bits on the
> page (but nothing else) and does not depend on the current thread's
> access rights, and pkey_set changes the current thread's access rights
> only (without changing the page tag bits set by pkey_mprotect before
> or after). Crucially, these keys do not any additional protection
> flags to pages. The tag bits gain meaning only in combination with
> the access rights of a running thread.
My understanding from documentation it key 0 is default one and it
is assigned to any memory regions (through mmap) which has not been
explicitly assigned through pkey_mprotect. My questioning whether we
should filter out key 0 is to:
1. Issue an error when application tries to use a key which has
not been previously allocated by pkey_alloc (since key 0 is
pre-allocated by the kernel).
2. Avoid changing default masking bits for pages which has not
been explicitly assigned through a pkey_mprotect.
However this does not prevent uses from issuing a RDPKRU/WRPKRU
directly.
>
>> My question is of you think we need to filter and/or document key 0
>> (and 1 as you indicate) as being special?
>
> No, we shouldn't do that. The kernel will do it for us as part of
> pkey_alloc, and that should be sufficient.
>
@@ -52,9 +52,10 @@ libsupport-routines = \
support_record_failure \
support_run_diff \
support_shared_allocate \
- support_write_file_string \
+ support_test_compare_failure \
support_test_main \
support_test_verify_impl \
+ support_write_file_string \
temp_file \
write_message \
xaccept \
@@ -84,8 +85,8 @@ libsupport-routines = \
xpthread_attr_destroy \
xpthread_attr_init \
xpthread_attr_setdetachstate \
- xpthread_attr_setstacksize \
xpthread_attr_setguardsize \
+ xpthread_attr_setstacksize \
xpthread_barrier_destroy \
xpthread_barrier_init \
xpthread_barrier_wait \
@@ -116,14 +117,18 @@ libsupport-routines = \
xpthread_sigmask \
xpthread_spin_lock \
xpthread_spin_unlock \
+ xraise \
xreadlink \
xrealloc \
xrecvfrom \
xsendto \
xsetsockopt \
+ xsigaction \
+ xsignal \
xsocket \
xstrdup \
xstrndup \
+ xsysconf \
xunlink \
xwaitpid \
xwrite \
@@ -86,6 +86,35 @@ void support_test_verify_exit_impl (int status, const char *file, int line,
does not support reporting failures from a DSO. */
void support_record_failure (void);
+/* Compare the two numbers LEFT and RIGHT and report failure if they
+ are different. */
+#define TEST_COMPARE(left, right) \
+ ({ \
+ __typeof__ (left) __left_value = (left); \
+ __typeof__ (right) __right_value = (right); \
+ _Static_assert (sizeof (__left_value) <= sizeof (long long), \
+ "left value fits into long long"); \
+ _Static_assert (sizeof (__right_value) <= sizeof (long long), \
+ "right value fits into long long"); \
+ if (__left_value != __right_value \
+ || ((__left_value > 0) != (__right_value > 0))) \
+ support_test_compare_failure \
+ (__FILE__, __LINE__, \
+ #left, __left_value, __left_value > 0, \
+ #right, __right_value, __right_value > 0); \
+ })
+
+/* Internal implementation of TEST_COMPARE. LEFT_POSITIVE and
+ RIGHT_POSITIVE are used to fit both unsigned long long and long
+ long arguments into LEFT_VALUE and RIGHT_VALUE. */
+void support_test_compare_failure (const char *file, int line,
+ const char *left_expr,
+ long long left_value,
+ int left_positive,
+ const char *right_expr,
+ long long right_value,
+ int right_positive);
+
/* Internal function called by the test driver. */
int support_report_failure (int status)
__attribute__ ((weak, warn_unused_result));
new file mode 100644
@@ -0,0 +1,46 @@
+/* Reporting mumeric comparison failure.
+ Copyright (C) 2017 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <stdio.h>
+#include <support/check.h>
+
+static void
+report (const char *which, const char *expr, long long value, int positive)
+{
+ printf (" %s: ", which);
+ if (positive)
+ printf ("%llu", (unsigned long long) value);
+ else
+ printf ("%lld", value);
+ printf (" (0x%llx); from: %s\n", (unsigned long long) value, expr);
+}
+
+void
+support_test_compare_failure (const char *file, int line,
+ const char *left_expr,
+ long long left_value,
+ int left_positive,
+ const char *right_expr,
+ long long right_value,
+ int right_positive)
+{
+ support_record_failure ();
+ printf ("%s:%d: numeric comparison failure\n", file, line);
+ report (" left", left_expr, left_value, left_positive);
+ report ("right", right_expr, right_value, right_positive);
+}
new file mode 100644
@@ -0,0 +1,27 @@
+/* Error-checking wrapper for raise.
+ Copyright (C) 2017 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <support/check.h>
+#include <support/xsignal.h>
+
+void
+xraise (int sig)
+{
+ if (raise (sig) != 0)
+ FAIL_EXIT1 ("raise (%d): %m" , sig);
+}
new file mode 100644
@@ -0,0 +1,27 @@
+/* Error-checking wrapper for sigaction.
+ Copyright (C) 2017 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <support/check.h>
+#include <support/xsignal.h>
+
+void
+xsigaction (int sig, const struct sigaction *newact, struct sigaction *oldact)
+{
+ if (sigaction (sig, newact, oldact))
+ FAIL_EXIT1 ("sigaction (%d): %m" , sig);
+}
new file mode 100644
@@ -0,0 +1,29 @@
+/* Error-checking wrapper for signal.
+ Copyright (C) 2017 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <support/check.h>
+#include <support/xsignal.h>
+
+sighandler_t
+xsignal (int sig, sighandler_t handler)
+{
+ sighandler_t result = signal (sig, handler);
+ if (result == SIG_ERR)
+ FAIL_EXIT1 ("signal (%d, %p): %m", sig, handler);
+ return result;
+}
@@ -24,6 +24,14 @@
__BEGIN_DECLS
+/* The following functions call the corresponding libc functions and
+ terminate the process on error. */
+
+void xraise (int sig);
+sighandler_t xsignal (int sig, sighandler_t handler);
+void xsigaction (int sig, const struct sigaction *newact,
+ struct sigaction *oldact);
+
/* The following functions call the corresponding libpthread functions
and terminate the process on error. */
new file mode 100644
@@ -0,0 +1,36 @@
+/* Error-checking wrapper for sysconf.
+ Copyright (C) 2017 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <errno.h>
+#include <support/check.h>
+#include <support/xunistd.h>
+
+long
+xsysconf (int name)
+{
+ /* Detect errors by a changed errno value, in case -1 is a valid
+ value. Make sure that the caller does not see the zero value for
+ errno. */
+ int old_errno = errno;
+ errno = 0;
+ long result = sysconf (name);
+ if (errno != 0)
+ FAIL_EXIT1 ("sysconf (%d): %m", name);
+ errno = old_errno;
+ return result;
+}
@@ -39,6 +39,7 @@ void xstat (const char *path, struct stat64 *);
void xmkdir (const char *path, mode_t);
void xchroot (const char *path);
void xunlink (const char *path);
+long xsysconf (int name);
/* Read the link at PATH. The caller should free the returned string
with free. */
@@ -18,7 +18,7 @@ sysdep_routines += clone umount umount2 readahead \
setfsuid setfsgid epoll_pwait signalfd \
eventfd eventfd_read eventfd_write prlimit \
personality epoll_wait tee vmsplice splice \
- open_by_handle_at
+ open_by_handle_at pkey_set pkey_get
CFLAGS-gethostid.c = -fexceptions
CFLAGS-tee.c = -fexceptions -fasynchronous-unwind-tables
@@ -44,7 +44,7 @@ sysdep_headers += sys/mount.h sys/acct.h sys/sysctl.h \
tests += tst-clone tst-clone2 tst-clone3 tst-fanotify tst-personality \
tst-quota tst-sync_file_range test-errno-linux tst-sysconf-iov_max \
- tst-memfd_create
+ tst-memfd_create tst-pkey
# Generate the list of SYS_* macros for the system calls (__NR_*
# macros). The file syscall-names.list contains all possible system
@@ -92,6 +92,8 @@ $(objpfx)tst-syscall-list.out: \
# Separate object file for access to the constant from the UAPI header.
$(objpfx)tst-sysconf-iov_max: $(objpfx)tst-sysconf-iov_max-uapi.o
+$(objpfx)tst-pkey: $(shared-thread-library)
+
endif # $(subdir) == misc
ifeq ($(subdir),time)
@@ -168,6 +168,7 @@ libc {
}
GLIBC_2.27 {
memfd_create;
+ pkey_alloc; pkey_free; pkey_set; pkey_get; pkey_mprotect;
}
GLIBC_PRIVATE {
# functions used in other libraries
@@ -2107,6 +2107,11 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
GLIBC_2.27 strfromf128 F
GLIBC_2.27 strtof128 F
GLIBC_2.27 strtof128_l F
@@ -2018,6 +2018,11 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
GLIBC_2.27 strfromf128 F
GLIBC_2.27 strtof128 F
GLIBC_2.27 strtof128_l F
@@ -108,6 +108,11 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
GLIBC_2.4 GLIBC_2.4 A
GLIBC_2.4 _Exit F
GLIBC_2.4 _IO_2_1_stderr_ D 0xa0
@@ -109,3 +109,38 @@
# define MCL_ONFAULT 4 /* Lock all pages that are
faulted in. */
#endif
+
+/* Memory protection key support. */
+#ifdef __USE_GNU
+
+/* FLags for pkey_alloc. */
+# define PKEY_DISABLE_ACCESS 0x1
+# define PKEY_DISABLE_WRITE 0x2
+
+__BEGIN_DECLS
+
+/* Allocate a new protection key, with the PKEY_DISABLE_* bits
+ specified in ACCESS_RIGHTS. The protection key mask for the
+ current thread is updated to match the access privilege for the new
+ key. */
+int pkey_alloc (unsigned int __flags, unsigned int __access_rights) __THROW;
+
+/* Update the access rights for the current thread for KEY, which must
+ have been allocated using pkey_alloc. */
+int pkey_set (int __key, unsigned int __access_rights) __THROW;
+
+/* Return the access rights for the current thread for KEY, which must
+ have been allocated using pkey_alloc. */
+int pkey_get (int _key) __THROW;
+
+/* Free an allocated protection key, which must have been allocated
+ using pkey_alloc. */
+int pkey_free (int __key) __THROW;
+
+/* Apply memory protection flags for KEY to the specified address
+ range. */
+int pkey_mprotect (void *__addr, size_t __len, int __prot, int __pkey) __THROW;
+
+__END_DECLS
+
+#endif /* __USE_GNU */
@@ -111,8 +111,12 @@ enum
{
SEGV_MAPERR = 1, /* Address not mapped to object. */
# define SEGV_MAPERR SEGV_MAPERR
- SEGV_ACCERR /* Invalid permissions for mapped object. */
+ SEGV_ACCERR, /* Invalid permissions for mapped object. */
# define SEGV_ACCERR SEGV_ACCERR
+ SEGV_BNDERR, /* Bounds checking failure. */
+# define SEGV_BNDERR SEGV_BNDERR
+ SEGV_PKUERR /* Protection key checking failure. */
+# define SEGV_PKUERR SEGV_PKUERR
};
/* `si_code' values for SIGBUS signal. */
@@ -1872,6 +1872,11 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
GLIBC_2.3 GLIBC_2.3 A
GLIBC_2.3 __ctype_b_loc F
GLIBC_2.3 __ctype_tolower_loc F
@@ -2037,6 +2037,11 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
GLIBC_2.3 GLIBC_2.3 A
GLIBC_2.3 __ctype_b_loc F
GLIBC_2.3 __ctype_tolower_loc F
@@ -1901,6 +1901,11 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
GLIBC_2.3 GLIBC_2.3 A
GLIBC_2.3 __ctype_b_loc F
GLIBC_2.3 __ctype_tolower_loc F
@@ -109,6 +109,11 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
GLIBC_2.4 GLIBC_2.4 A
GLIBC_2.4 _Exit F
GLIBC_2.4 _IO_2_1_stderr_ D 0x98
@@ -1986,6 +1986,11 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
GLIBC_2.3 GLIBC_2.3 A
GLIBC_2.3 __ctype_b_loc F
GLIBC_2.3 __ctype_tolower_loc F
@@ -2107,3 +2107,8 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
@@ -1961,6 +1961,11 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
GLIBC_2.3 GLIBC_2.3 A
GLIBC_2.3 __ctype_b_loc F
GLIBC_2.3 __ctype_tolower_loc F
@@ -1959,6 +1959,11 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
GLIBC_2.3 GLIBC_2.3 A
GLIBC_2.3 __ctype_b_loc F
GLIBC_2.3 __ctype_tolower_loc F
@@ -1957,6 +1957,11 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
GLIBC_2.27 strfromf128 F
GLIBC_2.27 strtof128 F
GLIBC_2.27 strtof128_l F
@@ -1952,6 +1952,11 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
GLIBC_2.27 strfromf128 F
GLIBC_2.27 strtof128 F
GLIBC_2.27 strtof128_l F
@@ -2148,3 +2148,8 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
new file mode 100644
@@ -0,0 +1,26 @@
+/* Obtaining the thread memory protection key, generic stub.
+ Copyright (C) 2017 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <errno.h>
+
+int
+pkey_get (int key)
+{
+ __set_errno (ENOSYS);
+ return -1;
+}
new file mode 100644
@@ -0,0 +1,26 @@
+/* Changing the thread memory protection key, generic stub.
+ Copyright (C) 2017 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <errno.h>
+
+int
+pkey_set (int key, unsigned int access_rights)
+{
+ __set_errno (ENOSYS);
+ return -1;
+}
@@ -1990,6 +1990,11 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
GLIBC_2.3 GLIBC_2.3 A
GLIBC_2.3 __ctype_b_loc F
GLIBC_2.3 __ctype_tolower_loc F
@@ -1995,6 +1995,11 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
GLIBC_2.3 GLIBC_2.3 A
GLIBC_2.3 __ctype_b_loc F
GLIBC_2.3 __ctype_tolower_loc F
@@ -2202,3 +2202,8 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
@@ -109,6 +109,11 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
GLIBC_2.3 GLIBC_2.3 A
GLIBC_2.3 _Exit F
GLIBC_2.3 _IO_2_1_stderr_ D 0xe0
@@ -1990,6 +1990,11 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
GLIBC_2.27 strfromf128 F
GLIBC_2.27 strtof128 F
GLIBC_2.27 strtof128_l F
@@ -1891,6 +1891,11 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
GLIBC_2.27 strfromf128 F
GLIBC_2.27 strtof128 F
GLIBC_2.27 strtof128_l F
@@ -1876,6 +1876,11 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
GLIBC_2.3 GLIBC_2.3 A
GLIBC_2.3 __ctype_b_loc F
GLIBC_2.3 __ctype_tolower_loc F
@@ -1983,6 +1983,11 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
GLIBC_2.27 strfromf128 F
GLIBC_2.27 strtof128 F
GLIBC_2.27 strtof128_l F
@@ -1920,6 +1920,11 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
GLIBC_2.27 strfromf128 F
GLIBC_2.27 strtof128 F
GLIBC_2.27 strtof128_l F
@@ -110,3 +110,6 @@ setns EXTRA setns i:ii setns
process_vm_readv EXTRA process_vm_readv i:ipipii process_vm_readv
process_vm_writev EXTRA process_vm_writev i:ipipii process_vm_writev
memfd_create EXTRA memfd_create i:si memfd_create
+pkey_alloc EXTRA pkey_alloc i:ii pkey_alloc
+pkey_free EXTRA pkey_free i:i pkey_free
+pkey_mprotect EXTRA pkey_mprotect i:aiii pkey_mprotect
@@ -2114,3 +2114,8 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
@@ -2114,3 +2114,8 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
@@ -2114,3 +2114,8 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
new file mode 100644
@@ -0,0 +1,320 @@
+/* Tests for memory protection keys.
+ Copyright (C) 2017 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <errno.h>
+#include <inttypes.h>
+#include <setjmp.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <support/check.h>
+#include <support/support.h>
+#include <support/test-driver.h>
+#include <support/xsignal.h>
+#include <support/xthread.h>
+#include <support/xunistd.h>
+#include <sys/mman.h>
+
+/* Used to force threads to wait until the main thread has set up the
+ keys as intended. */
+static pthread_barrier_t barrier;
+
+/* The keys used for testing. These have been allocated with access
+ rights set based on their array index. */
+enum { key_count = 4 };
+static int keys[key_count];
+static volatile int *pages[key_count];
+
+/* Used to report results from the signal handler. */
+static volatile void *sigsegv_addr;
+static volatile int sigsegv_code;
+static volatile int sigsegv_pkey;
+static sigjmp_buf sigsegv_jmp;
+
+/* Used to handle expected read or write faults. */
+static void
+sigsegv_handler (int signum, siginfo_t *info, void *context)
+{
+ sigsegv_addr = info->si_addr;
+ sigsegv_code = info->si_code;
+ sigsegv_pkey = info->si_pkey;
+ siglongjmp (sigsegv_jmp, 2);
+}
+
+static const struct sigaction sigsegv_sigaction =
+ {
+ .sa_flags = SA_RESETHAND | SA_SIGINFO,
+ .sa_sigaction = &sigsegv_handler,
+ };
+
+/* Check if PAGE is readable (if !WRITE) or writable (if WRITE). */
+static bool
+check_page_access (int page, bool write)
+{
+ /* This is needed to work around bug 22396: On x86-64, siglongjmp
+ does not restore the protection key access rights for the current
+ thread. We restore only the access rights for the keys under
+ test. (This is not a general solution to this problem, but it
+ allows testing to proceed after a fault.) */
+ unsigned saved_rights[key_count];
+ for (int i = 0; i < key_count; ++i)
+ saved_rights[i] = pkey_get (keys[i]);
+
+ volatile int *addr = pages[page];
+ if (test_verbose > 0)
+ {
+ printf ("info: checking access at %p (page %d) for %s\n",
+ addr, page, write ? "writing" : "reading");
+ }
+ int result = sigsetjmp (sigsegv_jmp, 1);
+ if (result == 0)
+ {
+ xsigaction (SIGSEGV, &sigsegv_sigaction, NULL);
+ if (write)
+ *addr = 3;
+ else
+ (void) *addr;
+ xsignal (SIGSEGV, SIG_DFL);
+ if (test_verbose > 0)
+ puts (" --> access allowed");
+ return true;
+ }
+ else
+ {
+ xsignal (SIGSEGV, SIG_DFL);
+ if (test_verbose > 0)
+ puts (" --> access denied");
+ TEST_COMPARE (result, 2);
+ TEST_COMPARE ((uintptr_t) sigsegv_addr, (uintptr_t) addr);
+ TEST_COMPARE (sigsegv_code, SEGV_PKUERR);
+ TEST_COMPARE (sigsegv_pkey, keys[page]);
+ for (int i = 0; i < key_count; ++i)
+ TEST_COMPARE (pkey_set (keys[i], saved_rights[i]), 0);
+ return false;
+ }
+}
+
+static volatile sig_atomic_t sigusr1_handler_ran;
+
+/* Used to check that access is revoked in signal handlers. */
+static void
+sigusr1_handler (int signum)
+{
+ TEST_COMPARE (signum, SIGUSR1);
+ for (int i = 0; i < key_count; ++i)
+ TEST_COMPARE (pkey_get (keys[i]), PKEY_DISABLE_ACCESS);
+ sigusr1_handler_ran = 1;
+}
+
+/* Used to report results from other threads. */
+struct thread_result
+{
+ int access_rights[key_count];
+ pthread_t next_thread;
+};
+
+/* Return the thread's access rights for the keys under test. */
+static void *
+get_thread_func (void *closure)
+{
+ struct thread_result *result = xmalloc (sizeof (*result));
+ for (int i = 0; i < key_count; ++i)
+ result->access_rights[i] = pkey_get (keys[i]);
+ memset (&result->next_thread, 0, sizeof (result->next_thread));
+ return result;
+}
+
+/* Wait for initialization and then check that the current thread does
+ not have access through the keys under test. */
+static void *
+initial_thread_func (void *closure)
+{
+ pthread_barrier_wait (&barrier);
+ struct thread_result *result = get_thread_func (NULL);
+
+ /* Also check directly. This code should not run with other threads
+ in parallel because of the SIGSEGV handler which is installed by
+ check_page_access. */
+ for (int i = 0; i < key_count; ++i)
+ {
+ TEST_VERIFY (!check_page_access (i, false));
+ TEST_VERIFY (!check_page_access (i, true));
+ }
+
+ result->next_thread = xpthread_create (NULL, get_thread_func, NULL);
+ return result;
+}
+
+static int
+do_test (void)
+{
+ long pagesize = xsysconf (_SC_PAGESIZE);
+
+ xpthread_barrier_init (&barrier, NULL, 2);
+ pthread_t initial_thread = xpthread_create
+ (NULL, &initial_thread_func, NULL);
+
+ keys[0] = pkey_alloc (0, 0);
+ if (keys[0] < 0)
+ {
+ if (errno == ENOSYS)
+ {
+ puts ("warning: kernel does not support memory protection keys");
+ return EXIT_UNSUPPORTED;
+ }
+ if (errno == ENOSPC)
+ {
+ puts ("warning: CPU does not support memory protection keys");
+ return EXIT_UNSUPPORTED;
+ }
+ FAIL_EXIT1 ("pkey_alloc: %m");
+ }
+ TEST_COMPARE (pkey_get (keys[0]), 0);
+ for (int i = 1; i < key_count; ++i)
+ {
+ keys[i] = pkey_alloc (0, i);
+ if (keys[i] < 0)
+ FAIL_EXIT1 ("pkey_alloc (0, %d): %m", i);
+ /* pkey_alloc is supposed to change the current thread's access
+ rights for the new key. */
+ TEST_COMPARE (pkey_get (keys[i]), i);
+ }
+ /* Check that all the keys have the expected access rights for the
+ current thread. */
+ for (int i = 0; i < key_count; ++i)
+ TEST_COMPARE (pkey_get (keys[i]), i);
+
+ /* Allocate a test page for each key. */
+ for (int i = 0; i < key_count; ++i)
+ {
+ pages[i] = xmmap (NULL, pagesize, PROT_READ | PROT_WRITE,
+ MAP_ANONYMOUS | MAP_PRIVATE, -1);
+ TEST_COMPARE (pkey_mprotect ((void *) pages[i], pagesize,
+ PROT_READ | PROT_WRITE, keys[i]), 0);
+ }
+
+ /* Check that the initial thread does not have access to the new
+ keys. */
+ {
+ pthread_barrier_wait (&barrier);
+ struct thread_result *result = xpthread_join (initial_thread);
+ for (int i = 0; i < key_count; ++i)
+ TEST_COMPARE (result->access_rights[i],
+ PKEY_DISABLE_ACCESS);
+ struct thread_result *result2 = xpthread_join (result->next_thread);
+ for (int i = 0; i < key_count; ++i)
+ TEST_COMPARE (result->access_rights[i],
+ PKEY_DISABLE_ACCESS);
+ free (result);
+ free (result2);
+ }
+
+ /* Check that the current thread access rights are inherited by new
+ threads. */
+ {
+ pthread_t get_thread = xpthread_create (NULL, get_thread_func, NULL);
+ struct thread_result *result = xpthread_join (get_thread);
+ for (int i = 0; i < key_count; ++i)
+ TEST_COMPARE (result->access_rights[i], i);
+ free (result);
+ }
+
+ for (int i = 0; i < key_count; ++i)
+ TEST_COMPARE (pkey_get (keys[i]), i);
+
+ /* Check that in a signal handler, there is no access. */
+ xsignal (SIGUSR1, &sigusr1_handler);
+ xraise (SIGUSR1);
+ xsignal (SIGUSR1, SIG_DFL);
+ TEST_COMPARE (sigusr1_handler_ran, 1);
+
+ /* The first key results in a writable page. */
+ TEST_VERIFY (check_page_access (0, false));
+ TEST_VERIFY (check_page_access (0, true));
+
+ /* The other keys do not. */
+ for (int i = 1; i < key_count; ++i)
+ {
+ if (test_verbose)
+ printf ("info: checking access for key %d, bits 0x%x\n",
+ i, pkey_get (keys[i]));
+ for (int j = 0; j < key_count; ++j)
+ TEST_COMPARE (pkey_get (keys[j]), j);
+ if (i & PKEY_DISABLE_ACCESS)
+ {
+ TEST_VERIFY (!check_page_access (i, false));
+ TEST_VERIFY (!check_page_access (i, true));
+ }
+ else
+ {
+ TEST_VERIFY (i & PKEY_DISABLE_WRITE);
+ TEST_VERIFY (check_page_access (i, false));
+ TEST_VERIFY (!check_page_access (i, true));
+ }
+ }
+
+ /* But if we set the current thread's access rights, we gain
+ access. */
+ for (int do_write = 0; do_write < 2; ++do_write)
+ for (int allowed_key = 0; allowed_key < key_count; ++allowed_key)
+ {
+ for (int i = 0; i < key_count; ++i)
+ if (i == allowed_key)
+ {
+ if (do_write)
+ TEST_COMPARE (pkey_set (keys[i], 0), 0);
+ else
+ TEST_COMPARE (pkey_set (keys[i], PKEY_DISABLE_WRITE), 0);
+ }
+ else
+ TEST_COMPARE (pkey_set (keys[i], PKEY_DISABLE_ACCESS), 0);
+
+ if (test_verbose)
+ printf ("info: key %d is allowed access for %s\n",
+ allowed_key, do_write ? "writing" : "reading");
+ for (int i = 0; i < key_count; ++i)
+ if (i == allowed_key)
+ {
+ TEST_VERIFY (check_page_access (i, false));
+ TEST_VERIFY (check_page_access (i, true) == do_write);
+ }
+ else
+ {
+ TEST_VERIFY (!check_page_access (i, false));
+ TEST_VERIFY (!check_page_access (i, true));
+ }
+ }
+
+
+ TEST_COMPARE (pkey_free (keys[0]), 0);
+ /* Second pkey_free will fail because the key has already been
+ freed. */
+ TEST_COMPARE (pkey_free (keys[0]),-1);
+ TEST_COMPARE (errno, EINVAL);
+ for (int i = 1; i < key_count; ++i)
+ TEST_COMPARE (pkey_free (keys[i]), 0);
+
+ for (int i = 0; i < key_count; ++i)
+ xmunmap ((void *) pages[i], pagesize);
+
+ xpthread_barrier_destroy (&barrier);
+ return 0;
+}
+
+#include <support/test-driver.c>
@@ -1878,6 +1878,11 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F
GLIBC_2.3 GLIBC_2.3 A
GLIBC_2.3 __ctype_b_loc F
GLIBC_2.3 __ctype_tolower_loc F
new file mode 100644
@@ -0,0 +1,40 @@
+/* Helper functions for manipulating memory protection keys.
+ Copyright (C) 2017 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#ifndef _ARCH_PKEY_H
+#define _ARCH_PKEY_H
+
+/* Return the value of the PKRU register. */
+static inline unsigned int
+pkey_read (void)
+{
+ unsigned int result;
+ __asm__ volatile (".byte 0x0f, 0x01, 0xee"
+ : "=a" (result) : "c" (0) : "rdx");
+ return result;
+}
+
+/* Overwrite the PKRU register with VALUE. */
+static inline void
+pkey_write (unsigned int value)
+{
+ __asm__ volatile (".byte 0x0f, 0x01, 0xef"
+ : : "a" (value), "c" (0), "d" (0));
+}
+
+#endif /* _ARCH_PKEY_H */
new file mode 100644
@@ -0,0 +1,33 @@
+/* Reading the per-thread memory protection key, x86_64 version.
+ Copyright (C) 2017 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <arch-pkey.h>
+#include <errno.h>
+
+int
+pkey_get (int key)
+{
+ if (key < 0 || key > 15)
+ {
+ __set_errno (EINVAL);
+ return -1;
+ }
+ unsigned int pkru = pkey_read ();
+ return (pkru >> (2 * key)) & 3;
+ return 0;
+}
new file mode 100644
@@ -0,0 +1,35 @@
+/* Changing the per-thread memory protection key, x86_64 version.
+ Copyright (C) 2017 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <arch-pkey.h>
+#include <errno.h>
+
+int
+pkey_set (int key, unsigned int rights)
+{
+ if (key < 0 || key > 15 || rights > 3)
+ {
+ __set_errno (EINVAL);
+ return -1;
+ }
+ unsigned int mask = 3 << (2 * key);
+ unsigned int pkru = pkey_read ();
+ pkru = (pkru & ~mask) | (rights << (2 * key));
+ pkey_write (pkru);
+ return 0;
+}
@@ -2121,3 +2121,8 @@ GLIBC_2.27 GLIBC_2.27 A
GLIBC_2.27 glob F
GLIBC_2.27 glob64 F
GLIBC_2.27 memfd_create F
+GLIBC_2.27 pkey_alloc F
+GLIBC_2.27 pkey_free F
+GLIBC_2.27 pkey_get F
+GLIBC_2.27 pkey_mprotect F
+GLIBC_2.27 pkey_set F