From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.1 required=3.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,DKIM_VALID,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D7C0CC4363A for ; Thu, 22 Oct 2020 10:13:56 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4D79522248 for ; Thu, 22 Oct 2020 10:13:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="VjGcENQM"; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Ky8oYdpr" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4D79522248 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Type: Content-Transfer-Encoding:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:Date:Message-ID:From: References:To:Subject:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=Bug9ySsDkJjAiLEpGZWaMu2FEDDWR6SSNj7DrkOuQW8=; b=VjGcENQMXofYO4MdSF80Tnf7Q 7lVd87CRyltZlZNvqwYKDy+X8KWIj7A+nT8yBD9pVSsRsFWWE+QAwzFvoZnSBjAZ5IN2U6/EqIUrX 5OUJ/FBSzQJ+IU4DeHLChbntnHd4TSf10JcE7fgZCODON3zMoYqKjuH3cHSUZ+9jah0uQwbIL6TK1 eW7rdm4AKDLssVfA9cl4CDOBbkrEj7sq4fs6ARVecgU18WK5W7p+VQKVdDSuoJZQzgju/0LnYYZYE KEG6iJwTkHaPWyQ50hRuFGyCWQt57yhJph+/NZonJXkXu/jwBxdohVl2aqFxgva5a9erYEhp5wSUQ fjfObe6ng==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kVXaD-00027u-Pd; Thu, 22 Oct 2020 10:12:34 +0000 Received: from mail-lf1-x12f.google.com ([2a00:1450:4864:20::12f]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kVXaB-000274-03 for linux-arm-kernel@lists.infradead.org; Thu, 22 Oct 2020 10:12:31 +0000 Received: by mail-lf1-x12f.google.com with SMTP id 77so1559353lfl.2 for ; Thu, 22 Oct 2020 03:12:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=sYnH6aqIwTQitjCjG/9NQOBr5RVniOR4tlgCFK9V1uk=; b=Ky8oYdprKO2xoRNJlLlTQiV3N0tpxU4CVqLVPMC48m1Zyj9bC5WDIcOPZUci/12fJn ppSIzXAfoFaa7pm6qW1otMPV1wupW3GNxDcAizZdVf3B8/Kfs8EIrbtikK8tBPQGgzo9 Sl9acr1aQKhjNR9vceckmJZNKR5trCNwblI1jlN5vsyhCa96C37s7T3jYR5LKel7zK0T qug6hRq32LYUOiT3IDcSgsoxafAEuMrmOFOdxhPJ+rwjXexFj1jxTwQkf1iARDYSrvj3 frouoaK8xNlWT0slcMGB74tnokZbGPj1eXS2xs6MZMbU9EcpnNvXvIsBDjSBn/QOuwM1 lgBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=sYnH6aqIwTQitjCjG/9NQOBr5RVniOR4tlgCFK9V1uk=; b=JJJg3Hcvgy+C/6ZQyMd/iUBZateeXhrkO1tSbHEMnBoIiXcRrQ5/lAr29QkOYL5NJf kl3oHubzBlOZPEDQLCsL8+D2+1w8gZxsanSsGzohBh0HEVyoMx8P68ZTKwJIBYQfNrLo lkEG8uiJUoGqfsK9hjNuzo87CNFhv0cUHKsqOzUPZppUmnK2aUbBERv+uHQXuaYdyH19 E5EwCnzMSVJLwpcos2iJx6F7XEx7ARvsUAY7GeRQyG21rM6zcIPYJ/cLq/LgLU/f0AW7 Y2qsR9DpSp1fsTdZ9cFBjl4WzimQ9tLNRx8x88txbN0GOKL5LmJ7652B7wuJXBt6zSrI A0Sw== X-Gm-Message-State: AOAM532Y7QCrUml3O3AQGv4C3tXW0hxNPpWnWEUyDzproYp1Lg1QoN5f AwVmMJrEPNO7ZdgGbJYPpXl1BBKGcbo= X-Google-Smtp-Source: ABdhPJzeRxfpYGJRB9oYjb7C0bbyjfB1wKhO0u6mo+GwjmGg1rq98Bf2sbdk3U+l8GFdchzr1xdObQ== X-Received: by 2002:a19:80d5:: with SMTP id b204mr547967lfd.384.1603361548691; Thu, 22 Oct 2020 03:12:28 -0700 (PDT) Received: from [192.168.1.112] (88-114-211-119.elisa-laajakaista.fi. [88.114.211.119]) by smtp.gmail.com with ESMTPSA id x20sm229660ljj.139.2020.10.22.03.12.25 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 22 Oct 2020 03:12:27 -0700 (PDT) Subject: Re: [systemd-devel] BTI interaction between seccomp filters in systemd and glibc mprotect calls, causing service failures To: Catalin Marinas , Lennart Poettering References: <8584c14f-5c28-9d70-c054-7c78127d84ea@arm.com> <20201022071812.GA324655@gardel-login> <87sga6snjn.fsf@oldenburg2.str.redhat.com> <511318fd-efde-f2fc-9159-9d16ac8d33a7@gmail.com> <20201022082912.GQ3819@arm.com> <20201022083823.GA324825@gardel-login> <20201022093104.GB1229@gaia> From: Topi Miettinen Message-ID: <4e82e730-4e71-35fe-e46e-f032766dedeb@gmail.com> Date: Thu, 22 Oct 2020 13:12:09 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: <20201022093104.GB1229@gaia> Content-Language: en-US X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201022_061231_077798_B9ADEE37 X-CRM114-Status: GOOD ( 19.54 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Florian Weimer , Mark Rutland , systemd-devel@lists.freedesktop.org, Kees Cook , Szabolcs Nagy , Will Deacon , "linux-kernel@vger.kernel.org" , Mark Brown , libc-alpha@sourceware.org, Dave Martin , "linux-arm-kernel@lists.infradead.org" Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 22.10.2020 12.31, Catalin Marinas wrote: > On Thu, Oct 22, 2020 at 10:38:23AM +0200, Lennart Poettering wrote: >> On Do, 22.10.20 09:29, Szabolcs Nagy (szabolcs.nagy@arm.com) wrote: >>>>> The dynamic loader has to process the LOAD segments to get to the ELF >>>>> note that says to enable BTI. Maybe we could do a first pass and load >>>>> only the segments that cover notes. But that requires lots of changes >>>>> to generic code in the loader. >>>> >>>> What if the loader always enabled BTI for PROT_EXEC pages, but then when >>>> discovering that this was a mistake, mprotect() the pages without BTI? Then >>>> both BTI and MDWX would work and the penalty of not getting MDWX would fall >>>> to non-BTI programs. What's the expected proportion of BTI enabled code vs. >>>> disabled in the future, is it perhaps expected that a distro would enable >>>> the flag globally so eventually only a few legacy programs might be >>>> unprotected? >>> >>> i thought mprotect(PROT_EXEC) would get filtered >>> with or without bti, is that not the case? >> >> We can adjust the filter in systemd to match any combination of >> flags to allow and to deny. > > Yes but Szabolcs' point to Topi was that if we can adjust the filters to > allow mprotect(PROT_EXEC), why not allow mprotect(PROT_EXEC|PROT_BTI) > instead? Anyway, I see the MDWX and BTI as complementary policies so > ideally we shouldn't have to choose between one or the other. If we > allow mprotect(PROT_EXEC), that would override MDWX and also disable > BTI. Allowing mprotect(PROT_EXEC|PROT_BTI) would mean that all you need to circumvent MDWX is to add PROT_BTI flag. I'd suggest getting the flags right at mmap() time or failing that, reverting the PROT_BTI for legacy programs later. Could the kernel tell the loader of the BTI situation with auxiliary vectors? Then it would be easy for the loader to always use the best mmap() flags without ever needing to mprotect(). -Topi _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel