[RFC PATCH] seccomp: Add protection keys into seccomp_data
Dave Hansen
dave.hansen at intel.com
Tue Oct 30 04:07:09 AEDT 2018
On 10/29/18 10:02 AM, Michael Sammler wrote:
>>> Also, I'm not sure the kernel provides the PKRU guarantees you want at
>>> the moment. Our implementation *probably* works, but it's mostly by
>>> accident.
> I don't know, which guarantees about the PKRU are provided at the
> moment, but the only guarantee needed for this patch is, that the kernel
> does not change the bits of the PKRU register, which belong to pkeys
> allocated by the user program, between the syscall entry and the call to
> secure_computing(). Is there are use case where the kernel would like to
> modify these bits of the PKRU?
We've been talking about doing more lax save/restore of the XSAVE
content (PKRU is part of this content). We would, for instance, only
restore it when returning to userspace, but PKRU might not be up-to-date
with the value in current->fpu.
It's not a deal-breaker with your approach, it's just something to be
careful of and make sure PKRU is up-to-date before you go use it.
More information about the Linuxppc-dev
mailing list