Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp5435006pxu; Thu, 22 Oct 2020 02:07:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwJNneTfboe9XR9+b2Zc6EhDjKJaPK8J+CrXf0HEYQPpnCXmAYlj8ACrYPOjXTYZMYi62Ht X-Received: by 2002:a17:906:c43:: with SMTP id t3mr1248102ejf.219.1603357676107; Thu, 22 Oct 2020 02:07:56 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1603357676; cv=pass; d=google.com; s=arc-20160816; b=GvS3Q5lTPDr5ADbFXkDf8U+0AcNdunJUndGiu11TojKoN4p7Y7SWnWspcoWV+jvfcC W/IuRBVRfLLj6YuGnSQ//k+A+JiTlD9jGRGDkKR9q05WX8mcvZtPjc7tpSPOtnd5Azag swDPtnKMpSuZGGsxkP78tk3ppRm0nBDISVBsIaNayHCELk5Hkgzb366TEqSZfm6WbKfZ +qvzXbvjZw1nrFZ3WW46z+fT7KNUyvPNBpqresGV1ZMUfCxNg9CSRvhM7qGTi2IT3tjR IEPVU+osLfr9vWLvBxjf5iUOtOVpKGePLXj2X/jHERWZsFSO8n8YT9jWgGm+zR/nvWcf qHiA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:original-authentication-results:nodisclaimer :mime-version:user-agent:in-reply-to:content-disposition:references :message-id:subject:cc:to:from:date:authentication-results-original :dkim-signature:dkim-signature; bh=dwGoYEOrT96rkCrmWrVdS3Ox3JODt/wXW3ZFE1h2fZ4=; b=rlNslIatYzi2VwZJhx22uG2tCfJf5d7Zfa19jsw1DXoktpaNosUypNmmQ+iGiBcY/K n2NYYDMYrmJX6mAe3X5Fd406BDW67z/Ya8G1YfNrlJzWKJVKHywPVBg06+YFUVieoPDV I7FSedArhGJHTgEeXDuM3ew9SEs2MNZ8Uv2Qw17LJz6iOYG/1E/X/jXgzr7TyK4hDzBV BMGcwgbxtEBHVsq4+SAielpfMQ90lV4Gsw9PN/zPOr0eruaTTsTTSdjSfLjxUkKanv0N LofSi3X49wjK14qzo3LHwATfvZ1kUifnj/ZkT1PtRPNc4m8r4YzduUQuMLluIo3lepEM W5sA== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@armh.onmicrosoft.com header.s=selector2-armh-onmicrosoft-com header.b=2nJbxlWt; dkim=pass header.i=@armh.onmicrosoft.com header.s=selector2-armh-onmicrosoft-com header.b=2nJbxlWt; arc=pass (i=1 spf=pass spfdomain=arm.com dkim=pass dkdomain=arm.com dmarc=pass fromdomain=arm.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bu15si561556edb.481.2020.10.22.02.07.33; Thu, 22 Oct 2020 02:07:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@armh.onmicrosoft.com header.s=selector2-armh-onmicrosoft-com header.b=2nJbxlWt; dkim=pass header.i=@armh.onmicrosoft.com header.s=selector2-armh-onmicrosoft-com header.b=2nJbxlWt; arc=pass (i=1 spf=pass spfdomain=arm.com dkim=pass dkdomain=arm.com dmarc=pass fromdomain=arm.com); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2507646AbgJVI3a (ORCPT + 99 others); Thu, 22 Oct 2020 04:29:30 -0400 Received: from mail-eopbgr60050.outbound.protection.outlook.com ([40.107.6.50]:5841 "EHLO EUR04-DB3-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2444569AbgJVI33 (ORCPT ); Thu, 22 Oct 2020 04:29:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dwGoYEOrT96rkCrmWrVdS3Ox3JODt/wXW3ZFE1h2fZ4=; b=2nJbxlWtiHwJE5Bb9CCLGWIM6EsN0IliRFSNMIppb3psoqi7dF1eQQ9eIhMnmHhSxOvh5cgKEA0v15ERaCWAld11L0mxwm9LqjKdq4/SWtHAdJfYox13UuPxG22sWU0zOGx3UEQjH6T5Xtw1OAirGVjFu3uCroVGV/E5Sqb5BPs= Received: from DB6PR0202CA0040.eurprd02.prod.outlook.com (2603:10a6:4:a5::26) by AM5PR0801MB1779.eurprd08.prod.outlook.com (2603:10a6:203:2f::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3477.28; Thu, 22 Oct 2020 08:29:25 +0000 Received: from DB5EUR03FT025.eop-EUR03.prod.protection.outlook.com (2603:10a6:4:a5:cafe::4f) by DB6PR0202CA0040.outlook.office365.com (2603:10a6:4:a5::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3477.21 via Frontend Transport; Thu, 22 Oct 2020 08:29:25 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; vger.kernel.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;vger.kernel.org; dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT025.mail.protection.outlook.com (10.152.20.104) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.18 via Frontend Transport; Thu, 22 Oct 2020 08:29:25 +0000 Received: ("Tessian outbound 7c188528bfe0:v64"); Thu, 22 Oct 2020 08:29:25 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: cb270875d4d9ffb8 X-CR-MTA-TID: 64aa7808 Received: from ddf8c3127fda.2 by 64aa7808-outbound-1.mta.getcheckrecipient.com id AE1344C3-D1BF-4D62-AE29-7C32083ED776.1; Thu, 22 Oct 2020 08:29:17 +0000 Received: from EUR04-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id ddf8c3127fda.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 22 Oct 2020 08:29:17 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iXOgQJJrWBS18vEAw0JaNQNbrXC0twpAyna/6ZsrsPAwicAEZsInYCnBbRy54NBEUEanlWCXXfjoxIsks9OT2Ap69XjS9PNGzgUYMzu9wXfSSPnsbHPzyRojXndjZJVlDi/f27Pf3vJjJKwmji9+ATK0/Hay50hbVNYFTYe1+IBWP51bWw/KTdhe/vGyMI07PWJHMfE5/RwMQLSH/HD7UHVjshX5kce0P90ZHITduDwlDeKf7HYTWJkew58SFLIQNQNr1z6/TiNQGwJbKvWJUWAMO4/M0zL9ipFxw6uiAm3amf8glbNvIoIRrkJlNFtAFPSFceoNPX1a3JnuGNnr7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dwGoYEOrT96rkCrmWrVdS3Ox3JODt/wXW3ZFE1h2fZ4=; b=ObaJY2xMdenkMQB1XE6mkkOql2zVngRCnEqFQDShurEZpkYJMj+0IFrXM7EjZUu7hvt5g9/qieKuEmMbtneBaigw/mQAEYDK45iTfMcBo31eycK9hzXqibxtrjl5nWVHesnXCW0a5noH+6jBEbadTN+Bpj/v5LEGblchG1xb4p7MtJ32XU5Hrv11Vd+5GR+jrrQMfz4fWG5Qf4WIBZNK3Z4JnubFzdmaiEzuBBdKohsdevuRNHoK60XfYU8YVshSKorC+ITfLMVQ6CPExzOwAtc0wUjuGXTFV1xXDh3XTCoEQaTBPMCzge0wjVlprxNy3F4Sh5OY4QcgM6TjCTq0Wg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dwGoYEOrT96rkCrmWrVdS3Ox3JODt/wXW3ZFE1h2fZ4=; b=2nJbxlWtiHwJE5Bb9CCLGWIM6EsN0IliRFSNMIppb3psoqi7dF1eQQ9eIhMnmHhSxOvh5cgKEA0v15ERaCWAld11L0mxwm9LqjKdq4/SWtHAdJfYox13UuPxG22sWU0zOGx3UEQjH6T5Xtw1OAirGVjFu3uCroVGV/E5Sqb5BPs= Authentication-Results-Original: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=arm.com; Received: from PR3PR08MB5564.eurprd08.prod.outlook.com (2603:10a6:102:87::18) by PA4PR08MB6141.eurprd08.prod.outlook.com (2603:10a6:102:f2::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3477.21; Thu, 22 Oct 2020 08:29:15 +0000 Received: from PR3PR08MB5564.eurprd08.prod.outlook.com ([fe80::957e:c80e:98f4:23d6]) by PR3PR08MB5564.eurprd08.prod.outlook.com ([fe80::957e:c80e:98f4:23d6%6]) with mapi id 15.20.3477.028; Thu, 22 Oct 2020 08:29:15 +0000 Date: Thu, 22 Oct 2020 09:29:12 +0100 From: Szabolcs Nagy To: Topi Miettinen Cc: Florian Weimer , Lennart Poettering , Mark Rutland , systemd-devel@lists.freedesktop.org, Kees Cook , Catalin Marinas , Will Deacon , "linux-kernel@vger.kernel.org" , Mark Brown , libc-alpha@sourceware.org, Dave Martin , "linux-arm-kernel@lists.infradead.org" Subject: Re: [systemd-devel] BTI interaction between seccomp filters in systemd and glibc mprotect calls, causing service failures Message-ID: <20201022082912.GQ3819@arm.com> References: <8584c14f-5c28-9d70-c054-7c78127d84ea@arm.com> <20201022071812.GA324655@gardel-login> <87sga6snjn.fsf@oldenburg2.str.redhat.com> <511318fd-efde-f2fc-9159-9d16ac8d33a7@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <511318fd-efde-f2fc-9159-9d16ac8d33a7@gmail.com> User-Agent: Mutt/1.9.4 (2018-02-28) X-Originating-IP: [217.140.106.54] X-ClientProxiedBy: LNXP265CA0047.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:5c::35) To PR3PR08MB5564.eurprd08.prod.outlook.com (2603:10a6:102:87::18) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from arm.com (217.140.106.54) by LNXP265CA0047.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:5c::35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.18 via Frontend Transport; Thu, 22 Oct 2020 08:29:14 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-HT: Tenant X-MS-Office365-Filtering-Correlation-Id: cd356d35-32da-43a2-c548-08d87664959a X-MS-TrafficTypeDiagnostic: PA4PR08MB6141:|AM5PR0801MB1779: X-MS-Exchange-Transport-Forked: True X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true NoDisclaimer: true X-MS-Oob-TLC-OOBClassifiers: OLM:10000;OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: k/IN4WjNFdYnmj9Yh7XEXnnjmpJnhFv4xUxs0iI8roha6WGR3nibmK4aNGXJ7QO1eqFkmQNqDgUPq3QdV9kwzd4U03cbyxMManqOfE9XVujQlEM8zwpudIaanUIzBqWGSZ4zLkfbXP6LLT3ijhZG0uzlzIqBmxl63FsrSmXpPkL+YsMSeGDcrkmxMuDAEv5HkbvBgt+3f+p9IJdZ2oM3xP/BCbfV/zqY7tV/XeOTfP+kCqMSbf3xbh1At/bq85ht05gYsxE+bDKM9sw1+C5Kjysl2TKG2zTC9rSyxl6g0TyYhPTKtS16bPs/fly5V6yrdRq5ebdZOqidJzmsvm578lF81hnz0nicgaZvYRN505UA+QtKGhk3c6oDfTEpuPpB6nirDXjUzXJK8xymWfLuXw== X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PR3PR08MB5564.eurprd08.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(346002)(396003)(366004)(376002)(136003)(39860400002)(966005)(5660300002)(2906002)(8886007)(55016002)(26005)(478600001)(1076003)(186003)(7696005)(52116002)(8676002)(16526019)(44832011)(66946007)(66476007)(66556008)(316002)(36756003)(8936002)(6916009)(4326008)(2616005)(33656002)(54906003)(956004)(83380400001)(86362001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: d3QTZM4x8ULLVxRHSmMIEofvqV6OeiFp/08wPg72yRYq5l9n03l1Phdoi1KLElbEonGTALNoJnKgsqxSgDOp+VVtwaah5PMWmV+TsMgF5ppApnGXRapdGDmPfvONrcVWE9ZcJ29iOtY76dkOs/LrLIA7bjAYCIrmZJLZFCJvHxT+jkd2ChDB+tHa1EkEA4W0RVFtPfwaeAsVw1usPRqUBH+5ybEutH2E6hwHbtpnqiL0emyc6tubB+XMkA1V/kaAtn2k53Mu9O7MdV8D2ZxmS9/mDzFX9YpCwIJ0241EuvzV6g9T7Y/bV1ahIZtbMFTY2esQDgFIpGEGpVhsSPwfeRsFXMv9TZZV9Yc6BH8FY13FJoLWNmJ9jgkTSB+fpl8vJGVit04Iw9xi8AT5W0JIm7OcPaiYh0yrDzwt03YXGmSCzUy6kHV3PTPFnFpcPv8R9PPSqrO7mcDh4eJd6qh8XiaA4M37jrWsPbb92JMJzY5XFPzm56qSa+R9117vDxMUAL/8mOD399njuXitGksXcXn4SDtbBJCySUhtbkdcKENqr6gZTeEpuIkw+KBiv23tylMhApWZl2w55gDJ4HxGo3K1hB/RSBwl5PqDM8gcZ9WklcXmhvYAFXdu8anEe8R/i4agcli4D6mQEhBqlAp71A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR08MB6141 Original-Authentication-Results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=arm.com; X-EOPAttributedMessage: 0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT025.eop-EUR03.prod.protection.outlook.com X-MS-Office365-Filtering-Correlation-Id-Prvs: a7b3ee6c-c4f5-45a4-4383-08d876648f6d X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: YytYYScXINyjpB4DOaeoeOXH6SfVjjYO6jeoXDB55RxEIwuavSSS7lVM/a+FCJmfujnllJz86HP42NiQrti1pBSGD1lgxVG1oqWXiK+ob8m+YaC9j3R0fKB1jTEJduXjmDV2RS2VaVBCZx/A5RAoNmVCwwlvVcKSL/WfRWn9QWwAWdLBDnw+eU+0PLH1PY7yKzQDu4Q6nwKWUuUX4OrBqf+I0yp/9SPx5Geb1upQTYdkzPCJWf7wWOyZmre363NJntOqFp2CTwbMo6c1eoP/XJTfpmHlwoO/MRTe9bUkGJLrkI1IXqunLIZpUPfzxqt7WN/pmVzhJBFJ8EIUMr8ER9qR9OeelMihqbQbVXy4HO0OauPqYIriXNUK5rIvHblxekqUshD3avXZIY/cgoJOexQPJUyd+MwiZ+qCQusfcZDwi+2YufDaDUeFXVqMiwz41t9ygst98EvOxWC9RpG4CTMwx9Rvg6yi4OyxMw8Ad98= X-Forefront-Antispam-Report: CIP:63.35.35.123;CTRY:IE;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:64aa7808-outbound-1.mta.getcheckrecipient.com;PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com;CAT:NONE;SFS:(4636009)(396003)(136003)(376002)(346002)(39860400002)(46966005)(966005)(336012)(316002)(47076004)(8676002)(86362001)(81166007)(2906002)(5660300002)(82740400003)(1076003)(107886003)(55016002)(6862004)(70206006)(26005)(33656002)(956004)(186003)(4326008)(44832011)(7696005)(2616005)(16526019)(54906003)(83380400001)(8886007)(36756003)(478600001)(8936002)(82310400003)(356005)(70586007);DIR:OUT;SFP:1101; X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Oct 2020 08:29:25.1610 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: cd356d35-32da-43a2-c548-08d87664959a X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT025.eop-EUR03.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0801MB1779 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The 10/22/2020 11:17, Topi Miettinen via Libc-alpha wrote: > On 22.10.2020 10.54, Florian Weimer wrote: > > * Lennart Poettering: > > > Did you see Topi's comments on the systemd issue? > > > > > > https://github.com/systemd/systemd/issues/17368#issuecomment-710485532 > > > > > > I think I agree with this: it's a bit weird to alter the bits after > > > the fact. Can't glibc set up everything right from the begining? That > > > would keep both concepts working. > > > > The dynamic loader has to process the LOAD segments to get to the ELF > > note that says to enable BTI. Maybe we could do a first pass and load > > only the segments that cover notes. But that requires lots of changes > > to generic code in the loader. > > What if the loader always enabled BTI for PROT_EXEC pages, but then when > discovering that this was a mistake, mprotect() the pages without BTI? Then > both BTI and MDWX would work and the penalty of not getting MDWX would fall > to non-BTI programs. What's the expected proportion of BTI enabled code vs. > disabled in the future, is it perhaps expected that a distro would enable > the flag globally so eventually only a few legacy programs might be > unprotected? i thought mprotect(PROT_EXEC) would get filtered with or without bti, is that not the case? then i guess we can do the protection that way around, but then i don't see why the filter cannot treat PROT_EXEC|PROT_BTI the same as PROT_EXEC.