From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.2 required=3.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,DKIM_VALID,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 723BFC4363A for ; Mon, 26 Oct 2020 16:41:48 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 255C520791 for ; Mon, 26 Oct 2020 16:41:48 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="NukAe/QL"; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hmCYvw9T" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 255C520791 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Type: Content-Transfer-Encoding:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:Date:Message-ID:From: References:To:Subject:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=FF8SLk/2ZlGyzUTYnO2Znrb2Okc74aBz1sNq/aeTjYg=; b=NukAe/QLOfM356ktcej7hb8Kc q+2EQ8keKU+wEBfp2eaBDjEe2Hm59YZ83ov17rNrBbpEHzxZoDCDwvCqtHK1vbTuJ1JuJTn83VqBs TkBssTkwv+mu04y2xMMHwule9LzY1MSOPRiIzqHWegE420RP/wBHvBFDamq/EZeD2wQIiz+yZSoqe j4mfF/suwaMkZL+qjv3i5UWCl0ojSuo4vYHvl4tmdbFtVMr9jmPEhVIhr/5vAsp7/aPtJyWfoX5zL Xs46o+2W2jBIBH06ddgz0N0mbGUFWouqFIlM6M21BuGTnVMAElaKi3QyX4z7ZjHxE/ZnUHT3p+BwN f07pTfXvw==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kX5Xj-0002Ex-H0; Mon, 26 Oct 2020 16:40:23 +0000 Received: from mail-lf1-x141.google.com ([2a00:1450:4864:20::141]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kX5Xf-0002EJ-TJ for linux-arm-kernel@lists.infradead.org; Mon, 26 Oct 2020 16:40:20 +0000 Received: by mail-lf1-x141.google.com with SMTP id r127so12878930lff.12 for ; Mon, 26 Oct 2020 09:40:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=bYYpq/ODtlAp6N9v/jOmvwi4a5DwPQlK76zjEaH5y0U=; b=hmCYvw9TPflPd9H/DK+zYCiLVpY5wiSnYliiGK03r7yuumwzjDfiWUfaETFJkuFXlL QHuf3ENiQc9ybhv0U9lUsM06Seadp7EyAGOaVTxST1ou+WDqigqW997mKZ+cvV1uKUPP e9e/u9S4WZl/5w277vCvBfQHhABwox7LdWIN5koZP7tYuaA5zLWQN9uidAWWVvoLUJYW +w54kOvfmg0XpZYA3gMbNkug0gaWI0CMGdRGtc4zxGxSP8+d6YiFb39REgpsudDcnjBd Ju4exspOqQOM1aJ+gMqmHnyYonF/xDUYbq0piU/yNKW0E67Amo6MdYhnN7/PnKmB9mQG WRAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=bYYpq/ODtlAp6N9v/jOmvwi4a5DwPQlK76zjEaH5y0U=; b=e5S3pycNpPQwinsWE8gTEaxs9DX5S8LvGn3G3npnEr6XPpwVJsCaxH3VHApJfyb2YU HPHId5nurfuMkeV4UVSmKLIkgl3haV4ZcUk+O3E2Lj3oOlO+5fK6IEW9yYo6mSXdzckR 0ZyYXK+9qlM78T5ook3/3ZtDgzbMavqX4g/gQzYZmRFojnCR1yaYyvfahaj4aMkKHRlx ZtcNcE914l1NUda1EaYoaORhKuPzxkqb80Ris6B9IiJn2/wSTCVNhvO9I6hwHu8RNAhY wx9427VACaSbEfI2oJSj4ZwGYOmAyP03mgVnmeWacSAsC0kk8hZSnaGr5XZSxsZnMPiw BGFg== X-Gm-Message-State: AOAM531lWklV/1d7VhGuvIUT/071DJ3t86Ld7wAEFkZuQBc7dXhSicsl rB7xGuguPnL43GTdVfvyAYg= X-Google-Smtp-Source: ABdhPJxEWYhWIhaW1xu9iLYys/ET2q6xrt2OTX3z8cDhceYtdfps/1yk+gQ6n16gAaYymVA4Q5lPRg== X-Received: by 2002:a19:c3cd:: with SMTP id t196mr4934402lff.501.1603730418621; Mon, 26 Oct 2020 09:40:18 -0700 (PDT) Received: from [192.168.1.112] (88-114-211-119.elisa-laajakaista.fi. [88.114.211.119]) by smtp.gmail.com with ESMTPSA id m22sm1091484lfq.12.2020.10.26.09.40.15 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 26 Oct 2020 09:40:17 -0700 (PDT) Subject: Re: BTI interaction between seccomp filters in systemd and glibc mprotect calls, causing service failures To: Dave Martin , Jeremy Linton References: <8584c14f-5c28-9d70-c054-7c78127d84ea@arm.com> <20201026162410.GB27285@arm.com> From: Topi Miettinen Message-ID: Date: Mon, 26 Oct 2020 18:39:55 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: <20201026162410.GB27285@arm.com> Content-Language: en-US X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201026_124020_026342_62EA1862 X-CRM114-Status: GOOD ( 30.12 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mark Rutland , systemd-devel@lists.freedesktop.org, Kees Cook , Catalin Marinas , Will Deacon , "linux-kernel@vger.kernel.org" , Mark Brown , libc-alpha@sourceware.org, "linux-arm-kernel@lists.infradead.org" Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 26.10.2020 18.24, Dave Martin wrote: > On Wed, Oct 21, 2020 at 10:44:46PM -0500, Jeremy Linton via Libc-alpha wrote: >> Hi, >> >> There is a problem with glibc+systemd on BTI enabled systems. Systemd >> has a service flag "MemoryDenyWriteExecute" which uses seccomp to deny >> PROT_EXEC changes. Glibc enables BTI only on segments which are marked as >> being BTI compatible by calling mprotect PROT_EXEC|PROT_BTI. That call is >> caught by the seccomp filter, resulting in service failures. >> >> So, at the moment one has to pick either denying PROT_EXEC changes, or BTI. >> This is obviously not desirable. >> >> Various changes have been suggested, replacing the mprotect with mmap calls >> having PROT_BTI set on the original mapping, re-mmapping the segments, >> implying PROT_EXEC on mprotect PROT_BTI calls when VM_EXEC is already set, >> and various modification to seccomp to allow particular mprotect cases to >> bypass the filters. In each case there seems to be an undesirable attribute >> to the solution. >> >> So, whats the best solution? > > Unrolling this discussion a bit, this problem comes from a few sources: > > 1) systemd is trying to implement a policy that doesn't fit SECCOMP > syscall filtering very well. > > 2) The program is trying to do something not expressible through the > syscall interface: really the intent is to set PROT_BTI on the page, > with no intent to set PROT_EXEC on any page that didn't already have it > set. > > > This limitation of mprotect() was known when I originally added PROT_BTI, > but at that time we weren't aware of a clear use case that would fail. > > > Would it now help to add something like: > > int mchangeprot(void *addr, size_t len, int old_flags, int new_flags) > { > int ret = -EINVAL; > mmap_write_lock(current->mm); > if (all vmas in [addr .. addr + len) have > their mprotect flags set to old_flags) { > > ret = mprotect(addr, len, new_flags); > } > > mmap_write_unlock(current->mm); > return ret; > } > > > libc would now be able to do > > mchangeprot(addr, len, PROT_EXEC | PROT_READ, > PROT_EXEC | PROT_READ | PROT_BTI); > > while systemd's MDWX filter would reject the call if > > (new_flags & PROT_EXEC) && > (!(old_flags & PROT_EXEC) || (new_flags & PROT_WRITE) > > > > This won't magically fix current code, but something along these lines > might be better going forward. > > > Thoughts? Looks good to me. -Topi _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel