From mboxrd@z Thu Jan 1 00:00:00 1970 From: Florian Weimer Subject: Re: Detecting the availability of VSYSCALL Date: Wed, 26 Jun 2019 19:04:12 +0200 Message-ID: <87ef3g1do3.fsf@oldenburg2.str.redhat.com> References: <87v9wty9v4.fsf@oldenburg2.str.redhat.com> <87lfxpy614.fsf@oldenburg2.str.redhat.com> <87a7e5v1d9.fsf@oldenburg2.str.redhat.com> <87o92kmtp5.fsf@oldenburg2.str.redhat.com> <87r27gjss3.fsf@oldenburg2.str.redhat.com> <534B9F63-E949-4CF5-ACAC-71381190846F@amacapital.net> <87a7e4jr4s.fsf@oldenburg2.str.redhat.com> <6CECE9DE-51AB-4A21-A257-8B85C4C94EB0@amacapital.net> <87sgrw1ejv.fsf@oldenburg2.str.redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: List-Post: List-Help: List-Unsubscribe: List-Subscribe: In-Reply-To: (Andy Lutomirski's message of "Wed, 26 Jun 2019 09:52:15 -0700") To: Andy Lutomirski Cc: Thomas Gleixner , Linux API , Kernel Hardening , linux-x86_64@vger.kernel.org, linux-arch , Kees Cook , Carlos O'Donell , X86 ML List-Id: linux-arch.vger.kernel.org * Andy Lutomirski: > On Wed, Jun 26, 2019 at 9:45 AM Florian Weimer wrote: >> >> * Andy Lutomirski: >> >> > Can=E2=80=99t an ELF note be done with some more or less ordinary asm = such >> > that any link editor will insert it correctly? >> >> We've just been over this for the CET enablement. ELF PT_NOTE parsing >> was rejected there. > > No one told me this. Unless I missed something, the latest kernel > patches still had PT_NOTE parsing. Can you point me at an > enlightening thread or explain what happened? The ABI was changed rather late, and PT_GNU_PROPERTY has been added. But this is okay because the kernel only looks at the dynamic loader, which we can update fairly easily. The thread is: Subject: Re: [PATCH v7 22/27] binfmt_elf: Extract .note.gnu.property from a= n ELF file <87blyu7ubf.fsf@oldenburg2.str.redhat.com> is a message reference in it. >> > The problem with a personality flag is that it needs to have some kind >> > of sensible behavior for setuid programs, and getting that right in a >> > way that doesn=E2=80=99t scream =E2=80=9Cexploit me=E2=80=9D while pre= serving useful >> > compatibility may be tricky. >> >> Are restrictive personality flags still a problem with user namespaces? >> I think it would be fine to restrict this one to CAP_SYS_ADMIN. > > We could possibly get away with this, but now we're introducing a > whole new mechanism. I'd rather just add proper per-namespace > sysctls, but this is a pretty big hammer. Oh, I wasn't aware of that. I thought that this already existed in some form, e.g. prctl with PR_SET_SECCOMP requiring CAP_SYS_ADMIN unless PR_SET_NO_NEW_PRIVS was active as well. Thanks, Florian From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com ([209.132.183.28]:34516 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726042AbfFZREW (ORCPT ); Wed, 26 Jun 2019 13:04:22 -0400 From: Florian Weimer Subject: Re: Detecting the availability of VSYSCALL References: <87v9wty9v4.fsf@oldenburg2.str.redhat.com> <87lfxpy614.fsf@oldenburg2.str.redhat.com> <87a7e5v1d9.fsf@oldenburg2.str.redhat.com> <87o92kmtp5.fsf@oldenburg2.str.redhat.com> <87r27gjss3.fsf@oldenburg2.str.redhat.com> <534B9F63-E949-4CF5-ACAC-71381190846F@amacapital.net> <87a7e4jr4s.fsf@oldenburg2.str.redhat.com> <6CECE9DE-51AB-4A21-A257-8B85C4C94EB0@amacapital.net> <87sgrw1ejv.fsf@oldenburg2.str.redhat.com> Date: Wed, 26 Jun 2019 19:04:12 +0200 In-Reply-To: (Andy Lutomirski's message of "Wed, 26 Jun 2019 09:52:15 -0700") Message-ID: <87ef3g1do3.fsf@oldenburg2.str.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT Sender: linux-arch-owner@vger.kernel.org List-ID: To: Andy Lutomirski Cc: Thomas Gleixner , Linux API , Kernel Hardening , linux-x86_64@vger.kernel.org, linux-arch , Kees Cook , Carlos O'Donell , X86 ML Message-ID: <20190626170412.czmqqGrskanxvv8JB10ko0LwfqOsf7Mbg9h9bls94N0@z> * Andy Lutomirski: > On Wed, Jun 26, 2019 at 9:45 AM Florian Weimer wrote: >> >> * Andy Lutomirski: >> >> > Can’t an ELF note be done with some more or less ordinary asm such >> > that any link editor will insert it correctly? >> >> We've just been over this for the CET enablement. ELF PT_NOTE parsing >> was rejected there. > > No one told me this. Unless I missed something, the latest kernel > patches still had PT_NOTE parsing. Can you point me at an > enlightening thread or explain what happened? The ABI was changed rather late, and PT_GNU_PROPERTY has been added. But this is okay because the kernel only looks at the dynamic loader, which we can update fairly easily. The thread is: Subject: Re: [PATCH v7 22/27] binfmt_elf: Extract .note.gnu.property from an ELF file <87blyu7ubf.fsf@oldenburg2.str.redhat.com> is a message reference in it. >> > The problem with a personality flag is that it needs to have some kind >> > of sensible behavior for setuid programs, and getting that right in a >> > way that doesn’t scream “exploit me” while preserving useful >> > compatibility may be tricky. >> >> Are restrictive personality flags still a problem with user namespaces? >> I think it would be fine to restrict this one to CAP_SYS_ADMIN. > > We could possibly get away with this, but now we're introducing a > whole new mechanism. I'd rather just add proper per-namespace > sysctls, but this is a pretty big hammer. Oh, I wasn't aware of that. I thought that this already existed in some form, e.g. prctl with PR_SET_SECCOMP requiring CAP_SYS_ADMIN unless PR_SET_NO_NEW_PRIVS was active as well. Thanks, Florian