Skip to content

lua-lsm: add file_mprotect context#21

Open
chenzongyao200127 wants to merge 1 commit into
openanolis:lua-lsmfrom
chenzongyao200127:lua-lsm-file-mprotect
Open

lua-lsm: add file_mprotect context#21
chenzongyao200127 wants to merge 1 commit into
openanolis:lua-lsmfrom
chenzongyao200127:lua-lsm-file-mprotect

Conversation

@chenzongyao200127
Copy link
Copy Markdown
Collaborator

@chenzongyao200127 chenzongyao200127 commented May 19, 2026

Lua-LSM currently exposes file_mprotect() with only the requested and effective protection masks. That leaves Lua policy to infer intent from raw bits, and hides useful VMA context such as whether the region is anonymous, file-backed, shared, stack, heap, gaining execute permission, or becoming writable and executable.

Add an mprotect context userdata for file_mprotect(). The context exposes derived VMA attributes and a file() accessor for file-backed mappings, while preserving the raw reqprot and prot arguments for policy that wants to inspect the original protection masks.

Example Lua policy:

return {
    name = "mprotect-policy",
    author = "Zongyao Chen",
    license = "GPL",

    file_mprotect = function(ctx, reqprot, prot)
        if ctx.wx then
            return false, errno.EPERM
        end

        if ctx.gaining_exec and ctx.anonymous and not ctx.stack then
            return false, errno.EPERM
        end

        if ctx.file_backed and ctx.write_to_exec then
            local file = ctx:file()
            local path = file and file:path()
            if path and path:match("^/tmp/") then
                return false, errno.EPERM
            end
        end

        return true
    end,
}

Validation:

  • ./scripts/checkpatch.pl --git origin/lua-lsm..lua-lsm-file-mprotect
    • reports only: added, moved or deleted file(s), does MAINTAINERS need updating?
  • git diff --check origin/lua-lsm..lua-lsm-file-mprotect

Signed-off-by: Zongyao Chen ZongYao.Chen@linux.alibaba.com

@chenzongyao200127
lua-lsm: add file_mprotect context
6d23eaf 
The file_mprotect hook only exposed raw protection bits to Lua,
leaving policy unable to distinguish common memory protection cases such
as executable upgrades, writable-executable mappings, anonymous regions,
stacks, heaps, or file-backed VMAs.

Add an mprotect context userdata with derived VMA attributes and an
optional file accessor. Pass that context to file_mprotect() together
with the requested and effective protection masks so Lua policy can make
decisions without decoding vm_area_struct details itself.

Signed-off-by: Zongyao Chen <ZongYao.Chen@linux.alibaba.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chenzongyao200127