From: Florian Weimer <fweimer@redhat.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Andy Lutomirski <luto@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Linux API <linux-api@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
linux-x86_64@vger.kernel.org,
linux-arch <linux-arch@vger.kernel.org>,
Kees Cook <keescook@chromium.org>,
Carlos O'Donell <carlos@redhat.com>, X86 ML <x86@kernel.org>
Subject: Re: Detecting the availability of VSYSCALL
Date: Wed, 26 Jun 2019 17:00:28 +0200 [thread overview]
Message-ID: <87r27gjss3.fsf@oldenburg2.str.redhat.com> (raw)
In-Reply-To: <CA96B819-30A9-43D3-9FE3-2D551D35369E@amacapital.net> (Andy Lutomirski's message of "Wed, 26 Jun 2019 07:15:59 -0700")
* Andy Lutomirski:
> I didn’t add a flag because the vsyscall page was thoroughly obsolete
> when all this happened, and I wanted to encourage all new code to just
> parse the vDSO instead of piling on the hacks.
It turned out that the thorny cases just switched to system calls
instead. I think we finally completed the transition in glibc upstream
in 2018 (for x86).
> Anyway, you may be the right person to ask: is there some credible way
> that the kernel could detect new binaries that don’t need vsyscalls?
> Maybe a new ELF note on a static binary or on the ELF interpreter? We
> can dynamically switch it in principle.
For this kind of change, markup similar to PT_GNU_STACK would have been
appropriate, I think: Old kernels and loaders would have ignored the
program header and loaded the program anyway, but the vsyscall page
still existed, so that would have been fine. The kernel would have
needed to check the program interpreter or the main executable (without
a program interpreter, i.e., the statically linked case). Due the way
the vsyscalls are concentrated in glibc, a dynamically linked executable
would not have needed checking (or re-linking). I don't think we would
have implemented the full late enablement after dlopen we did for
executable stacks. In theory, any code could have jumped to the
vsyscall area, but in practice, it's just dynamically linked glibc and
static binaries.
But nowadays, unmarked glibcs which do not depend on vsyscall vastly
outnumber unmarked glibcs which requrie it. Therefore, markup of
binaries does not seem to be reasonable to day. I could imagine a
personality flag you can set (if yoy have CAP_SYS_ADMIN) that re-enables
vsyscall support for new subprocesses. And a container runtime would do
this based on metadata found in the image. This way, the container host
itself could be protected, and you could still run legacy images which
require vsyscall.
For the non-container case, if you know that you'll run legacy
workloads, you'd still have the boot parameter. But I think it could
default to vsyscall=none in many more cases.
Thanks,
Florian
next prev parent reply other threads:[~2019-06-26 15:00 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-25 15:15 Detecting the availability of VSYSCALL Florian Weimer
2019-06-25 15:15 ` Florian Weimer
2019-06-25 16:30 ` Thomas Gleixner
2019-06-25 16:30 ` Thomas Gleixner
2019-06-25 16:38 ` Florian Weimer
2019-06-25 16:38 ` Florian Weimer
2019-06-25 20:11 ` Andy Lutomirski
2019-06-25 20:11 ` Andy Lutomirski
2019-06-25 20:47 ` Florian Weimer
2019-06-25 20:47 ` Florian Weimer
2019-06-25 21:49 ` Andy Lutomirski
2019-06-25 21:49 ` Andy Lutomirski
2019-06-26 12:12 ` Florian Weimer
2019-06-26 12:12 ` Florian Weimer
2019-06-26 14:15 ` Andy Lutomirski
2019-06-26 14:15 ` Andy Lutomirski
2019-06-26 15:00 ` Florian Weimer [this message]
2019-06-26 15:00 ` Florian Weimer
2019-06-26 15:21 ` Andy Lutomirski
2019-06-26 15:21 ` Andy Lutomirski
2019-06-26 15:36 ` Florian Weimer
2019-06-26 15:36 ` Florian Weimer
2019-06-26 16:24 ` Andy Lutomirski
2019-06-26 16:24 ` Andy Lutomirski
2019-06-26 16:45 ` Florian Weimer
2019-06-26 16:45 ` Florian Weimer
2019-06-26 16:52 ` Andy Lutomirski
2019-06-26 16:52 ` Andy Lutomirski
2019-06-26 17:04 ` Florian Weimer
2019-06-26 17:04 ` Florian Weimer
2019-06-26 17:14 ` Andy Lutomirski
2019-06-26 17:14 ` Andy Lutomirski
2019-06-25 20:08 ` Kees Cook
2019-06-25 20:08 ` Kees Cook
2019-06-25 20:13 ` Andy Lutomirski
2019-06-25 20:13 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87r27gjss3.fsf@oldenburg2.str.redhat.com \
--to=fweimer@redhat.com \
--cc=carlos@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-x86_64@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox