System call policies for containers
US-2018218148-A1 · Aug 2, 2018 · US
Implementing per-thread memory access permissions
US10496555B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10496555-B2 |
| Application number | US-201715592843-A |
| Country | US |
| Kind code | B2 |
| Filing date | May 11, 2017 |
| Priority date | May 11, 2017 |
| Publication date | Dec 3, 2019 |
| Grant date | Dec 3, 2019 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Disclosed are systems and methods of implementing per-thread granular memory access permissions. An example method may include: initializing a plurality of memory protection keys associated with a plurality of page table entries associated with an address space of a processing thread; loading, to a protection key rights register associated with the processing thread, a plurality of memory access permissions referenced by the memory protection keys; initializing a system call filter to prevent the processing thread from modifying the protection key rights register; and causing the processing thread to be executed.
First claim
Opening claim text (preview).
What is claimed is: 1. A method, comprising: initializing, by a processing device, a plurality of memory protection keys associated with a plurality of page table entries associated with an address space of a main processing thread of a hypervisor, wherein the main processing thread coordinates an emulator processing thread associated with a virtual machine managed by the hypervisor; loading, to a first protection key rights register associated with the main processing thread, a first plurality of memory access permissions, wherein the first plurality of memory access permissions comprise an execute permission with respect to a loadable library memory region and a code memory region, a read-write permission with respect to an emulated stack, a read-write permission with respect to an I/O stack, and a read-write permission with respect to a shared memory region; loading, to a second protection key rights register associated with the emulator processing thread, a second plurality of memory access permissions, wherein the second plurality of memory access permissions include an execute permission with respect to the code memory region, a read-write permission with respect to the shared memory region, a read-write permission with respect to an emulated heap, and a read-write permission with respect to the emulated stack; initializing a system call filter to prevent the main processing thread from modifying the first protection key rights register; causing the main processing thread to be executed; and responsive to intercepting a system call by the system call filter, matching a value of a system call parameter to a value specified by a filtering rule. 2. The method of claim 1 , wherein a protection key is stored in reserved bit positions of a page table entry of the plurality of page table entries. 3. The method of claim 1 , wherein each memory access permission of the first plurality of memory access permissions comprises a bit mask including one or more bits, wherein each bit indicates a permission for the main processing thread to perform a defined memory access operation with respect to a memory region referenced by a page table entry that comprises a memory protection key indicating a position of the bit mask in the first protection key rights register. 4. The method of claim 3 , wherein the defined memory access operation is identified by a position of the bit within the bit mask. 5. The method of claim 1 , wherein each memory access permission of the first plurality of memory access permissions comprises a bit mask including one or more bits, wherein each bit disables the processing thread to perform a defined memory access operation with respect to a memory region referenced by a page table entry that comprises a memory protection key indicating a position of the bit mask in the first protection key rights register. 6. The method of claim 1 , further comprising: responsive to intercepting a system call by the system call filter, performing at least one of: terminating the main processing thread, issuing a defined signal to the main processing thread, returning a defined error code to the main processing thread, or generating a system trace event. 7. The method of claim 1 , wherein the system call filter is provided by a secure computing (seccomp) filter. 8. The method of claim 1 , wherein the system call filter is provided by a Berkeley packet filter (BPF). 9. A computer system, comprising: a memory to store a paging table comprising a plurality of page table entries; and a processing device, operatively coupled to the memory, to: initialize a plurality of memory protection keys associated with the plurality of page table entries associated with an address space of a main processing thread of a hypervisor, wherein the main processing thread coordinates an emulator processing thread associated with a virtual machine managed by the hypervisor; load, to a first protection key rights register associated with the main processing thread, a first plurality of memory access permissions, wherein the first plurality of memory access permissions comprise an execute permission with respect to a loadable library memory region and a code memory region, a read-write permission with respect to an emulated stack, a read-write permission with respect to an I/O stack, and a read-write permission with respect to a shared memory region; load, to a second protection key rights register associated with the emulator processing thread, a second plurality of memory access permissions, wherein the second plurality of memory access permissions include an execute permission with respect to the code memory region, a read-write permission with respect to the shared memory region, a read-write permission with respect to an emulated heap, and a read-write permission with respect to the emulated stack; initialize a system call filter to prevent the main processing thread from modifying the first protection key rights register; cause main the processing thread to be executed; and responsive to intercepting a system call by the system call filter, match a value of a system call parameter to a value specified by a filtering rule. 10. The computer system of claim 9 , wherein a protection key is stored in reserved bit positions of a page table entry of the plurality of page table entries. 11. The computer system of claim 9 , wherein each memory access permission of the first plurality of memory access permissions comprises a bit mask including one or more bits, wherein each bit indicates a permission for the main processing thread to perform a defined memory access operation with respect to a memory region referenced by a page table entry that comprises a memory protection key indicating a position of the bit mask in the first protection key rights register. 12. The computer system of claim 11 , wherein the defined memory access operation is identified by a position of the bit within the bit mask. 13. A non-transitory computer-readable storage medium comprising executable instructions that, when executed by a processing device, cause the processing device to: initialize, by the processing device, a plurality of memory protection keys associated with a plurality of page table entries associated with an address space of a main processing thread of a hypervisor, wherein the main processing thread coordinates an emulator processing thread associated with a virtual machine managed by the hypervisor; load, to a first protection key rights register associated with the main processing thread, a first plurality of memory access permissions, wherein the first plurality of memory access permissions comprise an execute permission with respect to a loadable library memory region and a code memory region, a read-write permission with respect to an emulated stack, a read-write permission with respect to an I/O stack, and a read-write permission with respect to a shared memory region; load, to a second protection key rights register associated with the emulator processing thread, a second plurality of memory access permissions, wherein the second plurality of memory access permissions include an execute permission with respect to the code memory region, a read-write permission with respect to the shared memory region, a read-write permission with respect to an emulated heap, and a read-write permission with respect to the emulated stack; initialize a system call filter to prevent the main processing thread from modifying the first protection key rights register; cause the main processing thread to be executed; and responsive to intercepting a system call by the system call filter, match a value
Assignees
Inventors
Classifications
- G06F12/1475Primary
in a virtual system, e.g. with translation means · CPC title
Extension of operand address space · CPC title
Addressing a physical block of locations, e.g. base addressing, module addressing, memory dedication (G06F12/08 takes precedence) · CPC title
Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches · CPC title
by using cryptography (for digital transmission H04L9/00) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10496555B2 cover?
- Disclosed are systems and methods of implementing per-thread granular memory access permissions. An example method may include: initializing a plurality of memory protection keys associated with a plurality of page table entries associated with an address space of a processing thread; loading, to a protection key rights register associated with the processing thread, a plurality of memory acces…
- Who is the assignee on this patent?
- Red Hat Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F12/1475. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Dec 03 2019 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).