Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp271210pxu; Thu, 22 Oct 2020 23:28:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxWeTVVCPP27Ckj33Jxuls5gMvrKmdwS6ihN0aC4AnXqipA2vObCEv6Cgcxfajv0nUvtvO8 X-Received: by 2002:aa7:c451:: with SMTP id n17mr751849edr.266.1603434525516; Thu, 22 Oct 2020 23:28:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603434525; cv=none; d=google.com; s=arc-20160816; b=ZRVcWgF106SJJFjSWLRsssGQjW2awNPB09/N6ZMuDyIWpO3KojiSayM164HZISC0D0 WN4A2ap133OxNsMWwQ9H4jfF6XJkYuBi/QNDnCmNClL5FYCT3cr9rHzl2CgdKjfrq3z1 OHCOPnV6xQCDFJwzEmrsAemePEYkhjTmYvQ4TxeE51iF83YavaQ1Q2cOV30QBPJ2bTCh Tax01hYpnIMItdszOfFdjHzZV4zzUEvuW1xIYXmFVSYapc5Aa0Nb+Hr/pgjGFhw8rW9I sm2GqbWGmJcjZBb9LHq7gvgWvQCVAbd4okMC+ji7ZW6RgudfkejRaGnDySd/GdbRHL3R znmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=UkMo9YSByP/9a+a4AdI+yi1vCaJEUjkdx9AvlbGG/VA=; b=mYYJqT0Kson5uoLhbu4HH50cpRnVQ4dg50Cc8xswMYRQ6udNNPu4qDbWDYzLnVoQD9 qbPx/yRF7k8Zvj9+H4Ul+ymzXCHzIzBarR+y9H0vEjUexKjO1t6T5kZ0VAfBobD7Ru/W XjRP1DOXED72/7LbAWD8C3JMx0yI076/c5R6S0UVCzp4uQfbz8SeMxWFeQqAHoPVBdnM KEK4Z1ZVPTxf8aJuLpJXoiLcj37bAu+afJP2f/Fqp6nhpANt2vq7tOjBeTCQdrgU1exo xs5Y9NPUo0BCpEO1KBpnTqBqg52uu5BPoAbLLh04ug3dpSp59EDkorDiOtD0gthZ59YF XFpw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ng91Tdl3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v1si274690ejd.624.2020.10.22.23.28.22; Thu, 22 Oct 2020 23:28:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ng91Tdl3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S372736AbgJVWYj (ORCPT + 99 others); Thu, 22 Oct 2020 18:24:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50460 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S372504AbgJVWYi (ORCPT ); Thu, 22 Oct 2020 18:24:38 -0400 Received: from mail-lj1-x242.google.com (mail-lj1-x242.google.com [IPv6:2a00:1450:4864:20::242]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B3A92C0613CE; Thu, 22 Oct 2020 15:24:37 -0700 (PDT) Received: by mail-lj1-x242.google.com with SMTP id a28so3667136ljn.3; Thu, 22 Oct 2020 15:24:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=UkMo9YSByP/9a+a4AdI+yi1vCaJEUjkdx9AvlbGG/VA=; b=ng91Tdl3pBDoUkFKc2xVpnTG6o2MSBkFORHCAoFWFxOTuXcSSix3p48H5kxjR3nEWa AdVvc0c2ziFBrWsswAVwD1yD+S5SzTPqtfzqXo0aodkq+OiTrgVdN1/4GuKOdUqyUmQr +GRE7KLCrzhSUdATfpPd+h+gOp/E8oy30yyrWHiuTytbDUgoEFIP3XRcYPkG88+etdbU vNLQHlrvXgYoqwCfudllzcoqxrgW33i8LHTj89uBQjW5chudCu5CNynRRKRbBl+MZoXV TTOkrpS3bZ2Y3zJ3QgwHg33LdIYo3UBPzNPWNwaAlw1p/NaVd2Wp5fg6n9fJ4micW7KS /PYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=UkMo9YSByP/9a+a4AdI+yi1vCaJEUjkdx9AvlbGG/VA=; b=BpSRUWKdCGLkJCNTsDZKv1JJqkesaWec2YtArKT/NupVBGphuXkQYv5bQ+CISbNuK+ 3FYdodeoah37/ZIz2mlGRbTI/ia/C/4s7mGOIkN3Vwpd0yNHbq0sPFzFbFG7q41fiHad 6oN5L0IiTU2Jn9GbpnXWZ/asmxDNl2zJv3g2vIZGhwRU9BsdE8S2QQSgdOP89zGVoS5U 8skL7T2Txtneelw/0eAcnl9hJCFYU2fhuWMOI1OmgYHteZSM6jyj0h5ti720eS4a3dpo 2mMCZS1QSco8dWNLTsuc3GnWTVq4eAue6AQgow5xdBgt60bR3louCcXd+2c6jW7e/fry BMDw== X-Gm-Message-State: AOAM533BgG8nAbbosyg3I9IPa67r1l6QaVRO3Kaehx9SFCWQv8TB773w 1fGF2qMvMzJwYZm5ze0p3GpOL5GZ+fxqlQ== X-Received: by 2002:a05:651c:1194:: with SMTP id w20mr1737072ljo.174.1603405475827; Thu, 22 Oct 2020 15:24:35 -0700 (PDT) Received: from [192.168.1.112] (88-114-211-119.elisa-laajakaista.fi. [88.114.211.119]) by smtp.gmail.com with ESMTPSA id i22sm396520lfl.52.2020.10.22.15.24.31 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 22 Oct 2020 15:24:34 -0700 (PDT) Subject: Re: BTI interaction between seccomp filters in systemd and glibc mprotect calls, causing service failures To: Kees Cook Cc: Szabolcs Nagy , Jeremy Linton , "linux-arm-kernel@lists.infradead.org" , libc-alpha@sourceware.org, systemd-devel@lists.freedesktop.org, "linux-kernel@vger.kernel.org" , Mark Rutland , Mark Brown , Dave Martin , Catalin Marinas , Will Deacon , Salvatore Mesoraca , kernel-hardening@lists.openwall.com, linux-hardening@vger.kernel.org References: <8584c14f-5c28-9d70-c054-7c78127d84ea@arm.com> <20201022075447.GO3819@arm.com> <78464155-f459-773f-d0ee-c5bdbeb39e5d@gmail.com> <202010221256.A4F95FD11@keescook> From: Topi Miettinen Message-ID: <180cd894-d42d-2bdb-093c-b5360b0ecb1e@gmail.com> Date: Fri, 23 Oct 2020 01:24:14 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: <202010221256.A4F95FD11@keescook> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 22.10.2020 23.02, Kees Cook wrote: > On Thu, Oct 22, 2020 at 01:39:07PM +0300, Topi Miettinen wrote: >> But I think SELinux has a more complete solution (execmem) which can track >> the pages better than is possible with seccomp solution which has a very >> narrow field of view. Maybe this facility could be made available to >> non-SELinux systems, for example with prctl()? Then the in-kernel MDWX could >> allow mprotect(PROT_EXEC | PROT_BTI) in case the backing file hasn't been >> modified, the source filesystem isn't writable for the calling process and >> the file descriptor isn't created with memfd_create(). > > Right. The problem here is that systemd is attempting to mediate a > state change using only syscall details (i.e. with seccomp) instead of > a stateful analysis. Using a MAC is likely the only sane way to do that. > SELinux is a bit difficult to adjust "on the fly" the way systemd would > like to do things, and the more dynamic approach seen with SARA[1] isn't > yet in the kernel. SARA looks interesting. What is missing is a prctl() to enable all W^X protections irrevocably for the current process, then systemd could enable it for services with MemoryDenyWriteExecute=yes. I didn't also see specific measures against memfd_create() or file system W&X, but perhaps those can be added later. Maybe pkey_mprotect() is not handled either unless it uses the same LSM hook as mprotect(). > Trying to enforce memory W^X protection correctly > via seccomp isn't really going to work well, as far as I can see. Not in general, but I think it can work well in context of system services. Then you can ensure that for a specific service, memfd_create() is blocked by seccomp and the file systems are W^X because of mount namespaces etc., so there should not be any means to construct arbitrary executable pages. -Topi