On Thu, Jan 02, 2025 at 03:32:51PM -0800, Isaac J. Manjarres wrote:
Add tests to ensure that F_SEAL_FUTURE_EXEC behaves as expected.
Signed-off-by: Isaac J. Manjarres isaacmanjarres@google.com
This looks reasonable,
Reviewed-by: Lorenzo Stoakes lorenzo.stoakes@oracle.com
tools/testing/selftests/memfd/memfd_test.c | 79 ++++++++++++++++++++++ 1 file changed, 79 insertions(+)
diff --git a/tools/testing/selftests/memfd/memfd_test.c b/tools/testing/selftests/memfd/memfd_test.c index c0c53451a16d..abc213a5ce99 100644 --- a/tools/testing/selftests/memfd/memfd_test.c +++ b/tools/testing/selftests/memfd/memfd_test.c @@ -31,6 +31,7 @@ #define STACK_SIZE 65536
#define F_SEAL_EXEC 0x0020 +#define F_SEAL_FUTURE_EXEC 0x0040
#define F_WX_SEALS (F_SEAL_SHRINK | \ F_SEAL_GROW | \ @@ -318,6 +319,37 @@ static void *mfd_assert_mmap_private(int fd) return p; }
+static void *mfd_fail_mmap_exec(int fd) +{
- void *p;
- p = mmap(NULL,
mfd_def_size,PROT_EXEC,MAP_SHARED,fd,0);- if (p != MAP_FAILED) {
printf("mmap() didn't fail as expected\n");abort();- }
- return p;
+}
+static void mfd_fail_mprotect_exec(void *p) +{
- int ret;
- ret = mprotect(p,
mfd_def_size,PROT_EXEC);- if (!ret) {
printf("mprotect didn't fail as expected\n");abort();- }
+}
static int mfd_assert_open(int fd, int flags, mode_t mode) { char buf[512]; @@ -998,6 +1030,52 @@ static void test_seal_future_write(void) close(fd); }
+/*
- Test SEAL_FUTURE_EXEC_MAPPING
- Test whether SEAL_FUTURE_EXEC_MAPPING actually prevents executable mappings.
- */
+static void test_seal_future_exec_mapping(void) +{
- int fd;
- void *p;
- printf("%s SEAL-FUTURE-EXEC-MAPPING\n", memfd_str);
- fd = mfd_assert_new("kern_memfd_seal_future_exec_mapping",
mfd_def_size,MFD_CLOEXEC | MFD_ALLOW_SEALING);- /*
* PROT_READ | PROT_WRITE mappings create VMAs with VM_MAYEXEC set.* However, F_SEAL_FUTURE_EXEC applies to subsequent mappings,* so it should still succeed even if this mapping is active when the* seal is applied.*/- p = mfd_assert_mmap_shared(fd);
- mfd_assert_has_seals(fd, 0);
- mfd_assert_add_seals(fd, F_SEAL_FUTURE_EXEC);
- mfd_assert_has_seals(fd, F_SEAL_FUTURE_EXEC);
- mfd_fail_mmap_exec(fd);
- munmap(p, mfd_def_size);
- /* Ensure that new mappings without PROT_EXEC work. */
- p = mfd_assert_mmap_shared(fd);
- /*
* Ensure that mappings created after the seal was applied cannot be* made executable via mprotect().*/- mfd_fail_mprotect_exec(p);
- munmap(p, mfd_def_size);
- close(fd);
+}
static void test_seal_write_map_read_shared(void) { int fd; @@ -1639,6 +1717,7 @@ int main(int argc, char **argv) test_seal_shrink(); test_seal_grow(); test_seal_resize();
test_seal_future_exec_mapping();
if (pid_ns_supported()) { test_sysctl_simple();
-- 2.47.1.613.gc27f4b7a9f-goog