Re: [PATCH 2/9] mm: implement new pkey_mprotect() system call
From: Dave Hansen
Date: Mon Jun 13 2016 - 12:03:43 EST
On 06/11/2016 02:47 AM, Thomas Gleixner wrote:
> On Wed, 8 Jun 2016, Dave Hansen wrote:
>> > Proposed semantics:
>> > 1. protection key 0 is special and represents the default,
>> > unassigned protection key. It is always allocated.
>> > 2. mprotect() never affects a mapping's pkey_mprotect()-assigned
>> > protection key. A protection key of 0 (even if set explicitly)
>> > represents an unassigned protection key.
>> > 2a. mprotect(PROT_EXEC) on a mapping with an assigned protection
>> > key may or may not result in a mapping with execute-only
>> > properties. pkey_mprotect() plus pkey_set() on all threads
>> > should be used to _guarantee_ execute-only semantics.
>> > 3. mprotect(PROT_EXEC) may result in an "execute-only" mapping. The
>> > kernel will internally attempt to allocate and dedicate a
>> > protection key for the purpose of execute-only mappings. This
>> > may not be possible in cases where there are no free protection
>> > keys available.
> Shouldn't we just reserve a protection key for PROT_EXEC unconditionally?
Normal userspace does not do PROT_EXEC today. So, today, we'd
effectively lose one of our keys by reserving it. Of the folks I've
talked to who really want this feature, and *will* actually use it, one
of the most common complaints is that there are too few keys.
Folks who actively *want* true PROT_EXEC semantics can use the explicit
pkey interfaces.