On Tue, May 16, 2023 at 10:08 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > On Mon, May 15, 2023 at 01:05:46PM +0000, jeffxu@xxxxxxxxxxxx wrote: > > This patch introduces a new flag, PKEY_ENFORCE_API, to the pkey_alloc() > > function. When a PKEY is created with this flag, it is enforced that any > > thread that wants to make changes to the memory mapping (such as mprotect) > > of the memory must have write access to the PKEY. PKEYs created without > > this flag will continue to work as they do now, for backwards > > compatibility. > > > > Only PKEY created from user space can have the new flag set, the PKEY > > allocated by the kernel internally will not have it. In other words, > > ARCH_DEFAULT_PKEY(0) and execute_only_pkey won’t have this flag set, > > and continue work as today. > > Cool! Yeah, this looks like it could become quite useful. I assume > V8 folks are on board with this API, etc? Yes! (I'm from the v8 team driving the implementation on v8 side) > > This set of patch covers mprotect/munmap, I plan to work on other > > syscalls after this. > > Which ones are on your list currently? > > -- > Kees Cook
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature