diff options
author | Jamie Liu <jamieliu@google.com> | 2019-03-25 12:41:36 -0700 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2019-03-25 12:42:43 -0700 |
commit | f3723f805989d0c5956fbb6aa88b1cd9ac20753c (patch) | |
tree | f8992ae20287a20ab4325a0fa8f5da213283470f /pkg/sentry/memmap/memmap.go | |
parent | ddc05e3053e387be9c81aa98c621b6fc92b01000 (diff) |
Call memmap.Mappable.Translate with more conservative usermem.AccessType.
MM.insertPMAsLocked() passes vma.maxPerms to memmap.Mappable.Translate
(although it unsets AccessType.Write if the vma is private). This
somewhat simplifies handling of pmas, since it means only COW-break
needs to replace existing pmas. However, it also means that a MAP_SHARED
mapping of a file opened O_RDWR dirties the file, regardless of the
mapping's permissions and whether or not the mapping is ever actually
written to with I/O that ignores permissions (e.g.
ptrace(PTRACE_POKEDATA)).
To fix this:
- Change the pma-getting path to request only the permissions that are
required for the calling access.
- Change memmap.Mappable.Translate to take requested permissions, and
return allowed permissions. This preserves the existing behavior in the
common cases where the memmap.Mappable isn't
fsutil.CachingInodeOperations and doesn't care if the translated
platform.File pages are written to.
- Change the MM.getPMAsLocked path to support permission upgrading of
pmas outside of copy-on-write.
PiperOrigin-RevId: 240196979
Change-Id: Ie0147c62c1fbc409467a6fa16269a413f3d7d571
Diffstat (limited to 'pkg/sentry/memmap/memmap.go')
-rw-r--r-- | pkg/sentry/memmap/memmap.go | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/pkg/sentry/memmap/memmap.go b/pkg/sentry/memmap/memmap.go index 70cdf428b..1ef1f0dd8 100644 --- a/pkg/sentry/memmap/memmap.go +++ b/pkg/sentry/memmap/memmap.go @@ -105,13 +105,22 @@ type Translation struct { // Offset is the offset into File at which this Translation begins. Offset uint64 + + // Perms is the set of permissions for which platform.AddressSpace.MapFile + // and platform.AddressSpace.MapInternal on this Translation is permitted. + Perms usermem.AccessType +} + +// FileRange returns the platform.FileRange represented by t. +func (t Translation) FileRange() platform.FileRange { + return platform.FileRange{t.Offset, t.Offset + t.Source.Length()} } // CheckTranslateResult returns an error if (ts, terr) does not satisfy all -// postconditions for Mappable.Translate(required, optional). +// postconditions for Mappable.Translate(required, optional, at). // // Preconditions: As for Mappable.Translate. -func CheckTranslateResult(required, optional MappableRange, ts []Translation, terr error) error { +func CheckTranslateResult(required, optional MappableRange, at usermem.AccessType, ts []Translation, terr error) error { // Verify that the inputs to Mappable.Translate were valid. if !required.WellFormed() || required.Length() <= 0 { panic(fmt.Sprintf("invalid required range: %v", required)) @@ -156,6 +165,10 @@ func CheckTranslateResult(required, optional MappableRange, ts []Translation, te if !optional.IsSupersetOf(t.Source) { return fmt.Errorf("Translation %+v lies outside optional range %v", t, optional) } + // Each Translation must permit a superset of requested accesses. + if !t.Perms.SupersetOf(at) { + return fmt.Errorf("Translation %+v does not permit all requested access types %v", t, at) + } } // If the set of Translations does not cover the entire required range, // Translate must return a non-nil error explaining why. |