Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp5866052pxu; Thu, 22 Oct 2020 13:06:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxac7A9brnmXuJMD9cm15ayly6YvYqmWN3R+CVNI6Hyf1CdR90oxsCwgfKhbRLoycJtc9uU X-Received: by 2002:a50:d642:: with SMTP id c2mr3996225edj.342.1603397191411; Thu, 22 Oct 2020 13:06:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603397191; cv=none; d=google.com; s=arc-20160816; b=UnjbyKa/L7FqA8s1iHcwgUcEUJEO3uEg4H6k2ojQY46iCCB0Ky0EZrX1Wm1hwyKYvT bFA1/ejVdidw2WWDdAAeq4T6jpcYkJcFtTe6Tqj44DpDkATeWmmCn7LT1g8GMN144Q33 9gFqDvV0xn4nKTyc6RcBfOzk0weo/kO5CDo9GvYkse/rGGC90/13DvpYj21+npnpp/C1 UP98ehzzpWjdzFGZFpZqK8c6c22G+ewcU5CwcnvroidrpSjMlUrPLEwJbG+pxcBmne5y 1yVFNKTSKVYz2L0QFrNBLb7edzu4imPeJQ72BsUVjD+OmeqlSAiC44Ou+xrHd6HgUOc+ 85lw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=v+g60jSFAWmJk25t84LrgkacnZZF5EGyn0T0qZYVJPQ=; b=O4LuJIfhjmiSv7hp9K7YCy9+drdjBMDYhl4QsHzKzCqKFpiXfRuvQllc6OHJdheT0t Qzt9ZLHqahdwKrOWMJo9bnYpXUygKZG58ydYIb8RUek5DEw4vQQrE6aERf2WV2oIljFl ZU0+2Pm0iSFux7MeQSrEj72IXkfVXip9GFZ28v5s3un+9BO5LGhnRur1f05G25eOD98e qPA+Fd3a9czzi8lRHGw4KPB1tMnKitzL++o1HKeZeZSjfGVCUOYGDSCDr9g65u/wARzm sMrq86WpEhVZkTtUOwFXAXKa4upFcx9CdoKvld/caISVn6B8+bXKd7cMhNqHCRE9EdL1 bMYg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=denJkyKo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ck29si1558274edb.267.2020.10.22.13.06.08; Thu, 22 Oct 2020 13:06:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=denJkyKo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2896286AbgJVKEV (ORCPT + 99 others); Thu, 22 Oct 2020 06:04:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48710 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2896273AbgJVKEU (ORCPT ); Thu, 22 Oct 2020 06:04:20 -0400 Received: from mail-lf1-x144.google.com (mail-lf1-x144.google.com [IPv6:2a00:1450:4864:20::144]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2DD4BC0613CE for ; Thu, 22 Oct 2020 03:04:20 -0700 (PDT) Received: by mail-lf1-x144.google.com with SMTP id d24so1505356lfa.8 for ; Thu, 22 Oct 2020 03:04:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=v+g60jSFAWmJk25t84LrgkacnZZF5EGyn0T0qZYVJPQ=; b=denJkyKo92QmJssuyfNHfRh0bkOUOm5JqGz3HF1V9AggK73d8uBn1SVUc6JwVPJT3t CZZH2hDr8ZvCnvN5OuDbmntXCPNXzvk9S9X0CIc0r3jl31ctji8I/Jnzw+Cjgombxodf pJ+LcpOpCw+4LSzfK7fIJbztKe2RblaEqbo6uG6Qil0PDVeAIo2/vyKdke/9/hOHob2R zdikt4Q9Rxzuw+JOmRY1Wvj//l5kpKiNlCk/sDoUMLkG+J2OSKzstDfkBdYN9xoiAxI8 9j6/5ywhVoesc97aCeT5ocNG+WPTaZmjOxHhy0+4XEMwne8jJ7X6KQUlwHe0d4/R8uz8 vBlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=v+g60jSFAWmJk25t84LrgkacnZZF5EGyn0T0qZYVJPQ=; b=IVRFpd9KE8yCrnEVfKA7LFOm7A1EKfySfeCCs+C5djW1esNsHTGaVvmsw0bNNFQ4hO L/Lp0UdAzuYwMh3oC0iRjc72GLOtG6Quy7qk4VcjVJyveqMn9gYnRoSnDEmPG5n41LB1 fFlwl4hz+pP/qJhSer1u1zONYv8IR0krbjDS//PxWnu4OUXPhjxqPclbZZsSr3WQauJe odE4v19uBfJSDk2tlDS40yYA/kDfWlKIAYI+ymNGAzQyQFBFrsYDtQkEuWafSBrVsUcm 3xfY5R3PuFCzxTdrBsEzLYr4klH60ehYjQzhOVcf0FhjWr8cKvZcgKNfhvktwp3QByBH Gx2A== X-Gm-Message-State: AOAM531fW6WnNh8WxMIB5Mowp+UlebIzoBua+Kngp8Qgq7yP4/UhHta8 9ICOj4Zxahg0Ch6GMSGXi/g= X-Received: by 2002:a19:434f:: with SMTP id m15mr528494lfj.601.1603361058694; Thu, 22 Oct 2020 03:04:18 -0700 (PDT) Received: from [192.168.1.112] (88-114-211-119.elisa-laajakaista.fi. [88.114.211.119]) by smtp.gmail.com with ESMTPSA id m4sm227110ljg.137.2020.10.22.03.04.15 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 22 Oct 2020 03:04:18 -0700 (PDT) Subject: Re: [systemd-devel] BTI interaction between seccomp filters in systemd and glibc mprotect calls, causing service failures To: Szabolcs Nagy Cc: Florian Weimer , Lennart Poettering , Mark Rutland , systemd-devel@lists.freedesktop.org, Kees Cook , Catalin Marinas , Will Deacon , "linux-kernel@vger.kernel.org" , Mark Brown , libc-alpha@sourceware.org, Dave Martin , "linux-arm-kernel@lists.infradead.org" References: <8584c14f-5c28-9d70-c054-7c78127d84ea@arm.com> <20201022071812.GA324655@gardel-login> <87sga6snjn.fsf@oldenburg2.str.redhat.com> <511318fd-efde-f2fc-9159-9d16ac8d33a7@gmail.com> <20201022082912.GQ3819@arm.com> From: Topi Miettinen Message-ID: <55b44a39-ab19-363e-3703-9bf4e7d75f68@gmail.com> Date: Thu, 22 Oct 2020 13:03:59 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: <20201022082912.GQ3819@arm.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 22.10.2020 11.29, Szabolcs Nagy wrote: > The 10/22/2020 11:17, Topi Miettinen via Libc-alpha wrote: >> On 22.10.2020 10.54, Florian Weimer wrote: >>> * Lennart Poettering: >>>> Did you see Topi's comments on the systemd issue? >>>> >>>> https://github.com/systemd/systemd/issues/17368#issuecomment-710485532 >>>> >>>> I think I agree with this: it's a bit weird to alter the bits after >>>> the fact. Can't glibc set up everything right from the begining? That >>>> would keep both concepts working. >>> >>> The dynamic loader has to process the LOAD segments to get to the ELF >>> note that says to enable BTI. Maybe we could do a first pass and load >>> only the segments that cover notes. But that requires lots of changes >>> to generic code in the loader. >> >> What if the loader always enabled BTI for PROT_EXEC pages, but then when >> discovering that this was a mistake, mprotect() the pages without BTI? Then >> both BTI and MDWX would work and the penalty of not getting MDWX would fall >> to non-BTI programs. What's the expected proportion of BTI enabled code vs. >> disabled in the future, is it perhaps expected that a distro would enable >> the flag globally so eventually only a few legacy programs might be >> unprotected? > > i thought mprotect(PROT_EXEC) would get filtered > with or without bti, is that not the case? It would be filtered, but the idea is that with modern binaries this would not happen since the pages would be mapped with mmap(,, PROT_EXEC | PROT_BTI,,) which is OK for purposes MDWX. The loader would have to use mprotect(PROT_EXEC) to get rid of PROT_BTI only for the legacy binaries. -Topi