Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp5469080pxu; Thu, 22 Oct 2020 03:14:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwEKP1teVJWvc+jP9IaoFYBvE2BpPNwmMh9p1thcSEL0XdTxMnDrEy9ed1R01vaddtJsjs4 X-Received: by 2002:a05:6402:1684:: with SMTP id a4mr1544271edv.319.1603361666158; Thu, 22 Oct 2020 03:14:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603361666; cv=none; d=google.com; s=arc-20160816; b=YzxPyRei2apE6A0FoL94VYlKw8SQsLeC5G+gNHtSnVK0sFaY5GEnOpsDndca3dyHwk UC/p/bL5aRMB1+lLCKMZhnXVb6RsSFBJtuCQPSz7xNgVVzRCh7bULRKGx/OWKzGppzwt WNDOuVTC9oW6kWiyrG/r7TkKorQf0uu1+2vyYuO9DVcGawbdw9Mx1Ag4j/bBkrToo+1T XmPYOYb+DCuUz1CeneZLZPNycHlww5l+n2DhgxkTBBcFnr+igJrFf5aZU6Ac+EcxSge4 12PqR0iDYikHZwy4aaMzKrpBejlVmy89CvCBeOC1VVPHIxofH/wGI7EE213S7RyWmh9Y xEYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=sYnH6aqIwTQitjCjG/9NQOBr5RVniOR4tlgCFK9V1uk=; b=zDo31G1GSrWzjk6/qXA5e/vivklS/XvdALFfEZzkt2EeYJ2bBb1f7AxHtVLWeIlBmh S/Fi63EeS9Hm5TCNMU+gV6dmzUQ78mvKnA5nL70se9f1iqBjcqgNOhfr1bMQcCG7uVny mO2IflfehEHVZ3mpaF7dQ9r1X6c/NcprExOXTFA3CzN4cjuJPHQlaWTr2DAgqjUGpFJQ VPc5SHiCUWi3n7HDwtX4bmUJVme05MViN7k2ikSUcDXZCQBLuQxoWQW/JXerFdrt2Ud0 OpUQb6tf9c77czUTDY5wLrbOc6ph7us9Ge60vJeyFFXRJnoMOSaX5vCflsu7PTN7w8Gj ILOw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Ky8oYdpr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c23si560735eja.144.2020.10.22.03.14.03; Thu, 22 Oct 2020 03:14:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Ky8oYdpr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2896349AbgJVKMb (ORCPT + 99 others); Thu, 22 Oct 2020 06:12:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49972 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2896284AbgJVKMa (ORCPT ); Thu, 22 Oct 2020 06:12:30 -0400 Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 366E9C0613CE for ; Thu, 22 Oct 2020 03:12:30 -0700 (PDT) Received: by mail-lf1-x12a.google.com with SMTP id z2so1560673lfr.1 for ; Thu, 22 Oct 2020 03:12:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=sYnH6aqIwTQitjCjG/9NQOBr5RVniOR4tlgCFK9V1uk=; b=Ky8oYdprKO2xoRNJlLlTQiV3N0tpxU4CVqLVPMC48m1Zyj9bC5WDIcOPZUci/12fJn ppSIzXAfoFaa7pm6qW1otMPV1wupW3GNxDcAizZdVf3B8/Kfs8EIrbtikK8tBPQGgzo9 Sl9acr1aQKhjNR9vceckmJZNKR5trCNwblI1jlN5vsyhCa96C37s7T3jYR5LKel7zK0T qug6hRq32LYUOiT3IDcSgsoxafAEuMrmOFOdxhPJ+rwjXexFj1jxTwQkf1iARDYSrvj3 frouoaK8xNlWT0slcMGB74tnokZbGPj1eXS2xs6MZMbU9EcpnNvXvIsBDjSBn/QOuwM1 lgBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=sYnH6aqIwTQitjCjG/9NQOBr5RVniOR4tlgCFK9V1uk=; b=sYcBriMXdXJEhzWWEw8vdWWTl3FjkbkzHksAO+rlkOOvmGwemUYlTEftLx1KV6JcTF 7FhEiNDmBZHYHTr+ON083fJ5JAyjbhADmiJXTgi0Zw0qrVPMQbaOLKG9TAthERA9yP2z o0zZ6TICAfNnROSXariTa0e5q/p0CRrmsgkinww5jvL10ny1OBo2Wjgy39UzZyett2NI e7VNH6NrtEVGSYKsqvXlAozvlO6+TyaGj5rDNe2KDkuuyDfqrxjFPZi8o9ZlaCasQpqW QJSCewDmVZ+eSAPBMAIUEHXiHKznoSV+B/GvtWBNKlkPVONFKkozsahz928N69DpLt63 qC+w== X-Gm-Message-State: AOAM531LowcKKcycFyz2NsEMK54xEjUahA9mfkwn0Q9E00UhYZoGGfeq 0HaVtvG1U8qcxwkwjgAq7d8= X-Received: by 2002:a19:80d5:: with SMTP id b204mr547967lfd.384.1603361548691; Thu, 22 Oct 2020 03:12:28 -0700 (PDT) Received: from [192.168.1.112] (88-114-211-119.elisa-laajakaista.fi. [88.114.211.119]) by smtp.gmail.com with ESMTPSA id x20sm229660ljj.139.2020.10.22.03.12.25 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 22 Oct 2020 03:12:27 -0700 (PDT) Subject: Re: [systemd-devel] BTI interaction between seccomp filters in systemd and glibc mprotect calls, causing service failures To: Catalin Marinas , Lennart Poettering Cc: Szabolcs Nagy , Florian Weimer , Mark Rutland , systemd-devel@lists.freedesktop.org, Kees Cook , Will Deacon , "linux-kernel@vger.kernel.org" , Mark Brown , libc-alpha@sourceware.org, Dave Martin , "linux-arm-kernel@lists.infradead.org" References: <8584c14f-5c28-9d70-c054-7c78127d84ea@arm.com> <20201022071812.GA324655@gardel-login> <87sga6snjn.fsf@oldenburg2.str.redhat.com> <511318fd-efde-f2fc-9159-9d16ac8d33a7@gmail.com> <20201022082912.GQ3819@arm.com> <20201022083823.GA324825@gardel-login> <20201022093104.GB1229@gaia> From: Topi Miettinen Message-ID: <4e82e730-4e71-35fe-e46e-f032766dedeb@gmail.com> Date: Thu, 22 Oct 2020 13:12:09 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: <20201022093104.GB1229@gaia> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 22.10.2020 12.31, Catalin Marinas wrote: > On Thu, Oct 22, 2020 at 10:38:23AM +0200, Lennart Poettering wrote: >> On Do, 22.10.20 09:29, Szabolcs Nagy (szabolcs.nagy@arm.com) wrote: >>>>> The dynamic loader has to process the LOAD segments to get to the ELF >>>>> note that says to enable BTI. Maybe we could do a first pass and load >>>>> only the segments that cover notes. But that requires lots of changes >>>>> to generic code in the loader. >>>> >>>> What if the loader always enabled BTI for PROT_EXEC pages, but then when >>>> discovering that this was a mistake, mprotect() the pages without BTI? Then >>>> both BTI and MDWX would work and the penalty of not getting MDWX would fall >>>> to non-BTI programs. What's the expected proportion of BTI enabled code vs. >>>> disabled in the future, is it perhaps expected that a distro would enable >>>> the flag globally so eventually only a few legacy programs might be >>>> unprotected? >>> >>> i thought mprotect(PROT_EXEC) would get filtered >>> with or without bti, is that not the case? >> >> We can adjust the filter in systemd to match any combination of >> flags to allow and to deny. > > Yes but Szabolcs' point to Topi was that if we can adjust the filters to > allow mprotect(PROT_EXEC), why not allow mprotect(PROT_EXEC|PROT_BTI) > instead? Anyway, I see the MDWX and BTI as complementary policies so > ideally we shouldn't have to choose between one or the other. If we > allow mprotect(PROT_EXEC), that would override MDWX and also disable > BTI. Allowing mprotect(PROT_EXEC|PROT_BTI) would mean that all you need to circumvent MDWX is to add PROT_BTI flag. I'd suggest getting the flags right at mmap() time or failing that, reverting the PROT_BTI for legacy programs later. Could the kernel tell the loader of the BTI situation with auxiliary vectors? Then it would be easy for the loader to always use the best mmap() flags without ever needing to mprotect(). -Topi