[v3,2/2] pkey: add test for memory protection keys

Message ID	20190625070737.30408-3-liwang@redhat.com
State	Superseded
Headers	show Return-Path: <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it> From: Li Wang <liwang@redhat.com> To: ltp@lists.linux.it Date: Tue, 25 Jun 2019 15:07:37 +0800 Message-Id: <20190625070737.30408-3-liwang@redhat.com> In-Reply-To: <20190625070737.30408-2-liwang@redhat.com> References: <20190625070737.30408-1-liwang@redhat.com> <20190625070737.30408-2-liwang@redhat.com> MIME-Version: 1.0 Subject: [LTP] [PATCH v3 2/2] pkey: add test for memory protection keys Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it Sender: "ltp" <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it>
Series	Test for Memory Protection Key \| expand [v3,0/2] Test for Memory Protection Key [v3,1/2] pkey: add syscall numbers for pkey [v3,2/2] pkey: add test for memory protection keys

Message ID

20190625070737.30408-3-liwang@redhat.com

State

Superseded

Headers

From: Li Wang <liwang@redhat.com>
To: ltp@lists.linux.it
Date: Tue, 25 Jun 2019 15:07:37 +0800
Message-Id: <20190625070737.30408-3-liwang@redhat.com>
In-Reply-To: <20190625070737.30408-2-liwang@redhat.com>
References: <20190625070737.30408-1-liwang@redhat.com>
	<20190625070737.30408-2-liwang@redhat.com>
MIME-Version: 1.0
Subject: [LTP] [PATCH v3 2/2] pkey: add test for memory protection keys
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it
Sender: "ltp" <ltp-bounces+incoming=patchwork.ozlabs.org@lists.linux.it>

Series

Test for Memory Protection Key | expand

Commit Message

Li Wang June 25, 2019, 7:07 a.m. UTC

Memory Protection Keys for Userspace (PKU aka PKEYs) is a Skylake-SP
server feature that provides a mechanism for enforcing page-based
protections, but without requiring modification of the page tables
when an application changes protection domains. It works by dedicating
4 previously ignored bits in each page table entry to a "protection key",
giving 16 possible keys.

Basic method for PKEYs test:
  1. test allocates a pkey(e.g. PKEY_DISABLE_ACCESS) via pkey_alloc()
  2. pkey_mprotect() apply this pkey to a piece of memory buffer
  3. check if the access right of buffer has been changed and take effect
  4. remove the access right(pkey) from this buffer via pkey_mprotect()
  5. check if buffer area can be read or write after removing pkey
  6. pkey_free() releases the pkey after using it

Looping around this basic test on diffenrent types of memory.

Signed-off-by: Li Wang <liwang@redhat.com>
---
 configure.ac                               |   1 +
 runtest/syscalls                           |   2 +
 testcases/kernel/syscalls/pkeys/.gitignore |   1 +
 testcases/kernel/syscalls/pkeys/Makefile   |   8 +
 testcases/kernel/syscalls/pkeys/pkey.h     |  50 +++++
 testcases/kernel/syscalls/pkeys/pkey01.c   | 235 +++++++++++++++++++++
 6 files changed, 297 insertions(+)
 create mode 100644 testcases/kernel/syscalls/pkeys/.gitignore
 create mode 100644 testcases/kernel/syscalls/pkeys/Makefile
 create mode 100644 testcases/kernel/syscalls/pkeys/pkey.h
 create mode 100644 testcases/kernel/syscalls/pkeys/pkey01.c

Comments

Jan Stancek June 25, 2019, 9:01 a.m. UTC | #1

----- Original Message -----
> +
> +#ifndef PKEYS_H
> +#define PKEYS_H
> +
> +#include "tst_test.h"
> +#include "lapi/syscalls.h"
> +
> +#ifndef PKEY_DISABLE_ACCESS
> +# define PKEY_DISABLE_ACCESS 0x1
> +# define PKEY_DISABLE_WRITE  0x2
> +#endif
> +
> +#ifndef HAVE_PKEY_MPROTECT
> +static inline int pkey_mprotect(void *addr, size_t len, int prot, int pkey)
> +{
> +	return tst_syscall(SYS_pkey_mprotect, addr, len, prot, pkey);

Hi,

This should be __NR_*:

In file included from pkey01.c:32:
pkey.h: In function ‘pkey_mprotect’:
pkey.h:20: error: ‘SYS_pkey_mprotect’ undeclared (first use in this function)
pkey.h:20: error: (Each undeclared identifier is reported only once
pkey.h:20: error: for each function it appears in.)
pkey.h: In function ‘pkey_alloc’:
pkey.h:25: error: ‘SYS_pkey_alloc’ undeclared (first use in this function)
pkey.h: In function ‘pkey_free’:
pkey.h:30: error: ‘SYS_pkey_free’ undeclared (first use in this function)

> +static void setup(void)
> +{
> +	int i, fd;
> +
> +	if (access("/proc/sys/vm/nr_hugepages", F_OK)) {
> +		tst_res(TINFO, "Huge page is not supported");
> +		size = getpagesize();
> +		no_hugepage = 1;
> +	} else {
> +		SAFE_FILE_PRINTF("/proc/sys/vm/nr_hugepages", "%d", 1);

There are 2 problems here, both related to fact that this file exists,
but may return EOPNOTSUPP on read/write.

1. save_restore should ignore also read/open errors if path is prefixed with '?'
   I'll send this separately.

2. SAFE_FILE_PRINTF in pkey01.c shouldn't be safe, because we need to somehow
   detect that write worked

# ls -la /proc/sys/vm/nr_hugepages
-rw-r--r--. 1 root root 0 Jun 25 04:12 /proc/sys/vm/nr_hugepages

# cat /proc/sys/vm/nr_hugepages
cat: /proc/sys/vm/nr_hugepages: Operation not supported

> +static struct tst_test test = {
> +	.tcnt = ARRAY_SIZE(tcases),
> +	.forks_child = 1,
> +	.test = verify_pkey,
> +	.setup = setup,
> +	.cleanup = cleanup,
> +	.save_restore = save_restore,

.needs_root = 1 as well, since we write to /proc and mount tmpfs

Rest looks good to me, but I haven't found yet system that could run the test.

Regards,
Jan

Li Wang June 25, 2019, 9:33 a.m. UTC | #2

On Tue, Jun 25, 2019 at 5:01 PM Jan Stancek <jstancek@redhat.com> wrote:

>
> ----- Original Message -----
> > +
> > +#ifndef PKEYS_H
> > +#define PKEYS_H
> > +
> > +#include "tst_test.h"
> > +#include "lapi/syscalls.h"
> > +
> > +#ifndef PKEY_DISABLE_ACCESS
> > +# define PKEY_DISABLE_ACCESS 0x1
> > +# define PKEY_DISABLE_WRITE  0x2
> > +#endif
> > +
> > +#ifndef HAVE_PKEY_MPROTECT
> > +static inline int pkey_mprotect(void *addr, size_t len, int prot, int
> pkey)
> > +{
> > +     return tst_syscall(SYS_pkey_mprotect, addr, len, prot, pkey);
>
> Hi,
>
> This should be __NR_*:
>

Exactly. Sorry about that mistake.


>
> In file included from pkey01.c:32:
> pkey.h: In function ‘pkey_mprotect’:
> pkey.h:20: error: ‘SYS_pkey_mprotect’ undeclared (first use in this
> function)
> pkey.h:20: error: (Each undeclared identifier is reported only once
> pkey.h:20: error: for each function it appears in.)
> pkey.h: In function ‘pkey_alloc’:
> pkey.h:25: error: ‘SYS_pkey_alloc’ undeclared (first use in this function)
> pkey.h: In function ‘pkey_free’:
> pkey.h:30: error: ‘SYS_pkey_free’ undeclared (first use in this function)
>
> > +static void setup(void)
> > +{
> > +     int i, fd;
> > +
> > +     if (access("/proc/sys/vm/nr_hugepages", F_OK)) {
> > +             tst_res(TINFO, "Huge page is not supported");
> > +             size = getpagesize();
> > +             no_hugepage = 1;
> > +     } else {
> > +             SAFE_FILE_PRINTF("/proc/sys/vm/nr_hugepages", "%d", 1);
>
> There are 2 problems here, both related to fact that this file exists,
> but may return EOPNOTSUPP on read/write.
>
> 1. save_restore should ignore also read/open errors if path is prefixed
> with '?'
>    I'll send this separately.
>

Thank you for that patch.



>
> 2. SAFE_FILE_PRINTF in pkey01.c shouldn't be safe, because we need to
> somehow
>    detect that write worked
>

Yes, we should verify if that value has been wrote.

>
> # ls -la /proc/sys/vm/nr_hugepages
> -rw-r--r--. 1 root root 0 Jun 25 04:12 /proc/sys/vm/nr_hugepages
>
> # cat /proc/sys/vm/nr_hugepages
> cat: /proc/sys/vm/nr_hugepages: Operation not supported
>
> > +static struct tst_test test = {
> > +     .tcnt = ARRAY_SIZE(tcases),
> > +     .forks_child = 1,
> > +     .test = verify_pkey,
> > +     .setup = setup,
> > +     .cleanup = cleanup,
> > +     .save_restore = save_restore,
>
> .needs_root = 1 as well, since we write to /proc and mount tmpfs
>

Agree.

>
> Rest looks good to me, but I haven't found yet system that could run the
> test.
>
> Regards,
> Jan
>

diff --git a/configure.ac b/configure.ac
index 65fc2a232..5a9b74b0a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -74,6 +74,7 @@  AC_CHECK_FUNCS([ \
     pidfd_send_signal \
     preadv \
     preadv2 \
+    pkey_mprotect \
     profil \
     pwritev \
     pwritev2 \
diff --git a/runtest/syscalls b/runtest/syscalls
index c6a064481..6ea991f12 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -721,6 +721,8 @@  mprotect02 mprotect02
 mprotect03 mprotect03
 mprotect04 mprotect04
 
+pkey01 pkey01
+
 mq_notify01 mq_notify01
 mq_notify02 mq_notify02
 mq_open01 mq_open01
diff --git a/testcases/kernel/syscalls/pkeys/.gitignore b/testcases/kernel/syscalls/pkeys/.gitignore
new file mode 100644
index 000000000..6fd5addb8
--- /dev/null
+++ b/testcases/kernel/syscalls/pkeys/.gitignore
@@ -0,0 +1 @@ 
+/pkey01
diff --git a/testcases/kernel/syscalls/pkeys/Makefile b/testcases/kernel/syscalls/pkeys/Makefile
new file mode 100644
index 000000000..9ee2c2ea5
--- /dev/null
+++ b/testcases/kernel/syscalls/pkeys/Makefile
@@ -0,0 +1,8 @@ 
+# SPDX-License-Identifier: GPL-2.0-or-later
+# Copyright (c) 2019 Red Hat, Inc.
+
+top_srcdir		?= ../../../..
+
+include $(top_srcdir)/include/mk/testcases.mk
+
+include $(top_srcdir)/include/mk/generic_leaf_target.mk
diff --git a/testcases/kernel/syscalls/pkeys/pkey.h b/testcases/kernel/syscalls/pkeys/pkey.h
new file mode 100644
index 000000000..ccbb5ff3c
--- /dev/null
+++ b/testcases/kernel/syscalls/pkeys/pkey.h
@@ -0,0 +1,50 @@ 
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2019 Red Hat, Inc.
+ */
+
+#ifndef PKEYS_H
+#define PKEYS_H
+
+#include "tst_test.h"
+#include "lapi/syscalls.h"
+
+#ifndef PKEY_DISABLE_ACCESS
+# define PKEY_DISABLE_ACCESS 0x1
+# define PKEY_DISABLE_WRITE  0x2
+#endif
+
+#ifndef HAVE_PKEY_MPROTECT
+static inline int pkey_mprotect(void *addr, size_t len, int prot, int pkey)
+{
+	return tst_syscall(SYS_pkey_mprotect, addr, len, prot, pkey);
+}
+
+static inline int pkey_alloc(unsigned int flags, unsigned int access_rights)
+{
+	return tst_syscall(SYS_pkey_alloc, flags, access_rights);
+}
+
+static inline int pkey_free(int pkey)
+{
+	return tst_syscall(SYS_pkey_free, pkey);
+}
+#endif /* HAVE_PKEY_MPROTECT */
+
+static inline void check_pkey_support(void)
+{
+	int pkey = pkey_alloc(0, 0);
+
+	if (pkey == -1) {
+		if (errno == ENOSYS)
+			tst_brk(TCONF, "pkey_alloc is not implemented");
+		if (errno == EINVAL)
+			tst_brk(TCONF, "pku is not supported on this CPU");
+		if (errno == ENOSPC)
+			tst_brk(TCONF, "pkeys are not available for test");
+	}
+
+	pkey_free(pkey);
+}
+
+#endif /* PKEYS_H */
diff --git a/testcases/kernel/syscalls/pkeys/pkey01.c b/testcases/kernel/syscalls/pkeys/pkey01.c
new file mode 100644
index 000000000..444c2d596
--- /dev/null
+++ b/testcases/kernel/syscalls/pkeys/pkey01.c
@@ -0,0 +1,235 @@ 
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2019 Red Hat, Inc.
+ *
+ * Memory Protection Keys for Userspace (PKU aka PKEYs) is a Skylake-SP
+ * server feature that provides a mechanism for enforcing page-based
+ * protections, but without requiring modification of the page tables
+ * when an application changes protection domains. It works by dedicating
+ * 4 previously ignored bits in each page table entry to a "protection key",
+ * giving 16 possible keys.
+ *
+ * Basic method for PKEYs testing:
+ *    1. test allocates a pkey(e.g. PKEY_DISABLE_ACCESS) via pkey_alloc()
+ *    2. pkey_mprotect() apply this pkey to a piece of memory(buffer)
+ *    3. check if access right of the buffer has been changed and take effect
+ *    4. remove the access right(pkey) from this buffer via pkey_mprotect()
+ *    5. check if buffer area can be read or write after removing pkey
+ *    6. pkey_free() releases the pkey after using it
+ *
+ * Looping around this basic test on diffenrent types of memory.
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <unistd.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <sys/syscall.h>
+#include <sys/mman.h>
+#include <sys/wait.h>
+
+#include "pkey.h"
+
+#define TMP_DIR "tmp_pkey"
+#define TEST_FILE TMP_DIR"/testfile"
+#define STR "abcdefghijklmnopqrstuvwxyz12345\n"
+
+static int size;
+static int no_hugepage;
+
+static const char * const save_restore[] = {
+	"?/proc/sys/vm/nr_hugepages",
+	NULL,
+};
+
+static struct tcase {
+	unsigned long flags;
+	unsigned long access_rights;
+	char *name;
+} tcases[] = {
+	{0, PKEY_DISABLE_ACCESS, "PKEY_DISABLE_ACCESS"},
+	{0, PKEY_DISABLE_WRITE, "PKEY_DISABLE_WRITE"},
+};
+
+static void setup(void)
+{
+	int i, fd;
+
+	if (access("/proc/sys/vm/nr_hugepages", F_OK)) {
+		tst_res(TINFO, "Huge page is not supported");
+		size = getpagesize();
+		no_hugepage = 1;
+	} else {
+		SAFE_FILE_PRINTF("/proc/sys/vm/nr_hugepages", "%d", 1);
+		size = SAFE_READ_MEMINFO("Hugepagesize:") * 1024;
+	}
+
+	SAFE_MKDIR(TMP_DIR, 0664);
+	SAFE_MOUNT(TMP_DIR, TMP_DIR, "tmpfs", 0, NULL);
+
+	check_pkey_support();
+
+	fd = SAFE_OPEN(TEST_FILE, O_RDWR | O_CREAT, 0664);
+	for (i = 0; i < 128; i++)
+		SAFE_WRITE(1, fd, STR, strlen(STR));
+
+	SAFE_CLOSE(fd);
+}
+
+static void cleanup(void)
+{
+	SAFE_UMOUNT(TMP_DIR);
+	SAFE_RMDIR(TMP_DIR);
+}
+
+static struct mmap_param {
+	int prot;
+	int flags;
+	int fd;
+} mmap_params[] = {
+	{PROT_READ,  MAP_ANONYMOUS | MAP_PRIVATE, -1},
+	{PROT_READ,  MAP_ANONYMOUS | MAP_SHARED, -1},
+	{PROT_READ,  MAP_ANONYMOUS | MAP_PRIVATE | MAP_HUGETLB, -1},
+	{PROT_READ,  MAP_ANONYMOUS | MAP_SHARED  | MAP_HUGETLB, -1},
+	{PROT_READ,  MAP_PRIVATE, 0},
+	{PROT_READ,  MAP_SHARED, 0},
+
+	{PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1},
+	{PROT_WRITE, MAP_ANONYMOUS | MAP_SHARED, -1},
+	{PROT_WRITE, MAP_PRIVATE, 0},
+	{PROT_WRITE, MAP_SHARED, 0},
+	{PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_HUGETLB, -1},
+	{PROT_WRITE, MAP_ANONYMOUS | MAP_SHARED  | MAP_HUGETLB, -1},
+
+	{PROT_EXEC,  MAP_ANONYMOUS | MAP_PRIVATE, -1},
+	{PROT_EXEC,  MAP_ANONYMOUS | MAP_SHARED, -1},
+	{PROT_EXEC,  MAP_ANONYMOUS | MAP_PRIVATE | MAP_HUGETLB, -1},
+	{PROT_EXEC,  MAP_ANONYMOUS | MAP_SHARED  | MAP_HUGETLB, -1},
+	{PROT_EXEC,  MAP_PRIVATE, 0},
+	{PROT_EXEC,  MAP_SHARED, 0},
+
+	{PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1},
+	{PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_SHARED, -1},
+	{PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE | MAP_HUGETLB, -1},
+	{PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_SHARED  | MAP_HUGETLB, -1},
+	{PROT_READ | PROT_WRITE, MAP_PRIVATE, 0},
+	{PROT_READ | PROT_WRITE, MAP_SHARED, 0},
+
+	{PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_PRIVATE, -1},
+	{PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_SHARED, -1},
+	{PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_PRIVATE | MAP_HUGETLB, -1},
+	{PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_SHARED  | MAP_HUGETLB, -1},
+	{PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE, 0},
+	{PROT_READ | PROT_WRITE | PROT_EXEC, MAP_SHARED, 0},
+};
+
+static void pkey_test(struct tcase *tc, struct mmap_param *mpa)
+{
+	pid_t pid;
+	char *buffer;
+	int pkey, status;
+	int fd = mpa->fd;
+
+	if (no_hugepage && (mpa->flags & MAP_HUGETLB)) {
+		tst_res(TINFO, "Skip the hugepage test");
+		return;
+	}
+
+	if (fd == 0)
+		fd = SAFE_OPEN(TEST_FILE, O_RDWR | O_CREAT, 0664);
+
+	buffer = SAFE_MMAP(NULL, size, mpa->prot, mpa->flags, fd, 0);
+
+	pkey = pkey_alloc(tc->flags, tc->access_rights);
+	if (pkey == -1)
+		tst_brk(TBROK | TERRNO, "pkey_alloc failed");
+
+	tst_res(TINFO, "Set %s on buffer", tc->name);
+	if (pkey_mprotect(buffer, size, mpa->prot, pkey) == -1)
+		tst_brk(TBROK | TERRNO, "pkey_mprotect failed");
+
+	pid = SAFE_FORK();
+	if (pid == 0) {
+		struct rlimit r;
+
+		r.rlim_cur = 1;
+		r.rlim_max = 1;
+		/* Children crash are expected, avoid dumping corefile */
+		SAFE_SETRLIMIT(RLIMIT_CORE, &r);
+
+		switch (tc->access_rights) {
+			case PKEY_DISABLE_ACCESS:
+			tst_res(TFAIL | TERRNO,
+				"Read buffer success, buffer[0] = %d", *buffer);
+		break;
+			case PKEY_DISABLE_WRITE:
+			*buffer = 'a';
+		break;
+		}
+		exit(0);
+	}
+
+	SAFE_WAITPID(pid, &status, 0);
+	if (WIFSIGNALED(status)) {
+		if (WTERMSIG(status) == SIGSEGV) {
+			tst_res(TPASS, "Child ended by %s as expected",
+				tst_strsig(SIGSEGV));
+		} else {
+			tst_res(TFAIL | TERRNO, "Child ended by %s unexpected" ,
+				tst_strsig(WTERMSIG(status)));
+		}
+	} else {
+		tst_res(TFAIL | TERRNO,
+			"Child unexpectedly ended with %d", WEXITSTATUS(status));
+	}
+
+	tst_res(TINFO, "Remove %s from buffer", tc->name);
+	if (pkey_mprotect(buffer, size, mpa->prot, 0x0) == -1)
+		tst_brk(TBROK | TERRNO, "pkey_mprotect failed");
+
+	switch (mpa->prot) {
+		case PROT_READ:
+		tst_res(TPASS, "Read buffer success, buffer[0] = %d", *buffer);
+	break;
+		case PROT_WRITE:
+		*buffer = 'a';
+		tst_res(TPASS, "Write buffer success, buffer[0] = %d", *buffer);
+	break;
+		case PROT_READ | PROT_WRITE:
+		*buffer = 'a';
+		tst_res(TPASS, "Read/Write buffer success, buffer[0] = %d", *buffer);
+	break;
+	}
+
+	if (fd >= 0)
+		SAFE_CLOSE(fd);
+
+	SAFE_MUNMAP(buffer, size);
+
+	if (pkey_free(pkey) == -1)
+		tst_brk(TBROK | TERRNO, "pkey_free failed");
+}
+
+static void verify_pkey(unsigned int i)
+{
+	long unsigned int j;
+	struct mmap_param *mpa;
+
+	struct tcase *tc = &tcases[i];
+
+	for (j = 0; j < ARRAY_SIZE(mmap_params); j++) {
+		mpa = &mmap_params[j];
+
+		pkey_test(tc, mpa);
+	}
+}
+
+static struct tst_test test = {
+	.tcnt = ARRAY_SIZE(tcases),
+	.forks_child = 1,
+	.test = verify_pkey,
+	.setup = setup,
+	.cleanup = cleanup,
+	.save_restore = save_restore,
+};

[v3,2/2] pkey: add test for memory protection keys

Commit Message

Comments

Patch