From: KP Singh <kpsingh@xxxxxxxxxx> This patch is not needed after arch_bpf_prepare_trampoline moves to using text_poke. The two IPI TLB flushes can be further optimized if a new API to handle W^X in the kernel emerges as an outcome of: https://lore.kernel.org/bpf/20200103234725.22846-1-kpsingh@xxxxxxxxxxxx/ Signed-off-by: KP Singh <kpsingh@xxxxxxxxxx> --- security/bpf/hooks.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c index 4e71da0e8e9e..30f68341f5ef 100644 --- a/security/bpf/hooks.c +++ b/security/bpf/hooks.c @@ -222,6 +222,15 @@ static struct bpf_lsm_hook *bpf_lsm_hook_alloc( goto error; } + /* First make the page read-only, and only then make it executable to + * prevent it from being W+X in between. + */ + set_memory_ro((unsigned long)image, 1); + /* More checks can be done here to ensure that nothing was changed + * between arch_prepare_bpf_trampoline and set_memory_ro. + */ + set_memory_x((unsigned long)image, 1); + hook = kzalloc(sizeof(struct bpf_lsm_hook), GFP_KERNEL); if (!hook) { ret = -ENOMEM; -- 2.20.1
