From c861f3ff5e5d2b1e614e484507f03ad9e0415ec5 Mon Sep 17 00:00:00 2001 From: Haryslee Date: Sat, 6 May 2023 10:15:04 +0800 Subject: [PATCH] feat: add key data for PAC protection Signed-off-by: Haryslee Change-Id: Iaffc72b7371ebc825bc707326f1e9e661fd2612c --- fs/namespace.c | 2 ++ include/linux/capability.h | 2 +- include/linux/cred.h | 4 ++-- include/linux/fs.h | 2 +- include/linux/mm_types.h | 4 ++-- include/linux/mount.h | 2 +- include/linux/uidgid.h | 4 ++-- 7 files changed, 11 insertions(+), 9 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index 6e76f2a72cfc..3a5b06f292b8 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -200,6 +200,8 @@ static struct mount *alloc_vfsmnt(const char *name) mnt->mnt_writers = 0; #endif + mnt->mnt.mnt_flags = 0; + INIT_HLIST_NODE(&mnt->mnt_hash); INIT_LIST_HEAD(&mnt->mnt_child); INIT_LIST_HEAD(&mnt->mnt_mounts); diff --git a/include/linux/capability.h b/include/linux/capability.h index 1e7fe311cabe..11fa996383f3 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h @@ -22,7 +22,7 @@ extern int file_caps_enabled; typedef struct kernel_cap_struct { - __u32 cap[_KERNEL_CAPABILITY_U32S]; + __attribute__((pac_protected_data)) __u32 cap[_KERNEL_CAPABILITY_U32S]; } kernel_cap_t; /* same as vfs_ns_cap_data but in cpu endian and always filled completely */ diff --git a/include/linux/cred.h b/include/linux/cred.h index 18639c069263..2e5d5ccd18e4 100644 --- a/include/linux/cred.h +++ b/include/linux/cred.h @@ -125,14 +125,14 @@ struct cred { kgid_t egid; /* effective GID of the task */ kuid_t fsuid; /* UID for VFS ops */ kgid_t fsgid; /* GID for VFS ops */ - unsigned securebits; /* SUID-less security management */ + __attribute__((pac_protected_data)) unsigned securebits; /* SUID-less security management */ kernel_cap_t cap_inheritable; /* caps our children can inherit */ kernel_cap_t cap_permitted; /* caps we're permitted */ kernel_cap_t cap_effective; /* caps we can actually use */ kernel_cap_t cap_bset; /* capability bounding set */ kernel_cap_t cap_ambient; /* Ambient capability set */ #ifdef CONFIG_KEYS - unsigned char jit_keyring; /* default keyring to attach requested + __attribute__((pac_protected_data)) unsigned char jit_keyring; /* default keyring to attach requested * keys to */ struct key *session_keyring; /* keyring inherited over fork */ struct key *process_keyring; /* keyring private to this process */ diff --git a/include/linux/fs.h b/include/linux/fs.h index 3e548c0d3e07..c3036f5a9d12 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -696,7 +696,7 @@ struct inode { struct address_space i_data; struct list_head i_devices; union { - struct pipe_inode_info *i_pipe; + __attribute__((pac_protected_ptr)) struct pipe_inode_info *i_pipe; struct block_device *i_bdev; struct cdev *i_cdev; char *i_link; diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h index d86bc1d2dcc3..3eba8703e330 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -424,7 +424,7 @@ struct mm_struct { #endif unsigned long task_size; /* size of task vm space */ unsigned long highest_vm_end; /* highest vma end address */ - pgd_t * pgd; + __attribute__((pac_protected_ptr)) pgd_t * pgd; #ifdef CONFIG_MEM_PURGEABLE void *uxpgd; spinlock_t uxpgd_lock; @@ -511,7 +511,7 @@ struct mm_struct { unsigned long data_vm; /* VM_WRITE & ~VM_SHARED & ~VM_STACK */ unsigned long exec_vm; /* VM_EXEC & ~VM_WRITE & ~VM_STACK */ unsigned long stack_vm; /* VM_STACK */ - unsigned long def_flags; + __attribute__((pac_protected_data)) unsigned long def_flags; /** * @write_protect_seq: Locked when any thread is write diff --git a/include/linux/mount.h b/include/linux/mount.h index aaf343b38671..811f727bc0fe 100644 --- a/include/linux/mount.h +++ b/include/linux/mount.h @@ -71,7 +71,7 @@ struct fs_context; struct vfsmount { struct dentry *mnt_root; /* root of the mounted tree */ struct super_block *mnt_sb; /* pointer to superblock */ - int mnt_flags; + __attribute__((pac_protected_data)) int mnt_flags; } __randomize_layout; struct file; /* forward dec */ diff --git a/include/linux/uidgid.h b/include/linux/uidgid.h index 120ef9f71914..5917bf142110 100644 --- a/include/linux/uidgid.h +++ b/include/linux/uidgid.h @@ -19,12 +19,12 @@ struct user_namespace; extern struct user_namespace init_user_ns; typedef struct { - uid_t val; + __attribute__((pac_protected_data)) uid_t val; } kuid_t; typedef struct { - gid_t val; + __attribute__((pac_protected_data)) gid_t val; } kgid_t; #define KUIDT_INIT(value) (kuid_t){ value } -- Gitee