Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp1356855pxu; Sat, 24 Oct 2020 08:11:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyxIkmrOWNXRZu6zYYyl+Xx/faPLEKVoqfh1rvp9CupGjRevy9xNnuGQ5GBROclsEneOIzN X-Received: by 2002:aa7:c256:: with SMTP id y22mr7576962edo.108.1603552285341; Sat, 24 Oct 2020 08:11:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603552285; cv=none; d=google.com; s=arc-20160816; b=vNnXNCuuZMMe4oJ1PkJTx30gmrrK/HLFqbDc8Ym7Gx04V1m+lQmZDsmiJHa2G81mM/ qnrHpnYUUthP52aEplCICNlvoX2gmCgW9I1fX+f1fNtpwtwjQCE5aOVHFRTtMhsL+Z7T 7aA2KSbH1bLDsQs8D7/2SrUIsa231uLnxnZ1c8RhxQb5ck1HxSZsD0e2od5KScnzaP/Y 4W5pRRmQpuxHYe+H1hV7ZWDcbZgpopvnD2/js44GkgU/TpHieXYjnsfy9+ozDpIrKmIL tO2FIBW7eZ5orYtwhHg/dnZpYYjEllOJc0a0rN1oEKGRyLUadc67ao8C0t5+dze6wN3K cADg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=IoKvQwjpmgnwDqwDMU0dzPR0LnLnshRSMNK/AI0kcxw=; b=OdujaX3vNq4cYXS0UbQXcW9ozb96EbfotuJ+49YT943kTE3Y6ucGWrizNY3qUe5328 xNO3VlU6asoo3dNFqX6sQzP0X6ODQ12oyTA4ZAea9Hq7Cbu5T3VOY3xMBmWoiSldb6FP KsVmA3J0vNeNXNsTDJ3Hh39cZAyQgnKaqlWcHU2dFNsX141N8V6Hxwe+6ZRq7RWw0pnP O5jX54oaeJbh2xF4trhbnj7M0L4mpm+ranFNaPw7y6InhtzfGeijWpZKgIkvc3ne6gGu 9ZyVGfk+DXx0IIpGoMVWS3LJAJ0l0zZNqLup16jSFDjeIRvVqWPygQLmv072xA2W6MbN 5evw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=mqiOOs7T; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ly1si2000449ejb.288.2020.10.24.08.11.02; Sat, 24 Oct 2020 08:11:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=mqiOOs7T; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1761161AbgJXLeb (ORCPT + 99 others); Sat, 24 Oct 2020 07:34:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54952 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1759684AbgJXLeb (ORCPT ); Sat, 24 Oct 2020 07:34:31 -0400 Received: from mail-lf1-x143.google.com (mail-lf1-x143.google.com [IPv6:2a00:1450:4864:20::143]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3BAE8C0613CE; Sat, 24 Oct 2020 04:34:29 -0700 (PDT) Received: by mail-lf1-x143.google.com with SMTP id j30so5354689lfp.4; Sat, 24 Oct 2020 04:34:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=IoKvQwjpmgnwDqwDMU0dzPR0LnLnshRSMNK/AI0kcxw=; b=mqiOOs7TyvklH3y6Ood3stRdGCXNjS2vgVdrSrZQ2N5rvNmXE4ypAGwbOH+pu5ZkZU cLFinzJ8s1Tc1dBlP3n6K9U1vTiiudbu4H1PwQEoeFI7WihRODKM6wJlcI16HoaXOosR PQtOWyYZ5vxd3flAAaj+Fgat/sdOALkni45sy0aydIfRvlwxm3dwa0l5WDx3QP/dG3y6 pYy6zdGvNsP3Z9aeTINusM1N7KGKTk/bljhK8h8j6gQ8iHYyydmfoS0E2Io29bJlsvT5 ZfDv1jpttgUuhifKJENIVwPfjjhn0XCWIAk65JMYKL0UIJotL4bcojoT7g08pknvpe9X BBhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=IoKvQwjpmgnwDqwDMU0dzPR0LnLnshRSMNK/AI0kcxw=; b=Do0myV1lQhGsRpBq6dZweldI5RIXrfMStYdTrqYeWSnK0RleWmurBZJiFA9oU8KTVe ftSaceYAEfo3HuLfsJDj6KabDvDeyA+BQKZ/DWJhKm/RkWSj0ra8NGl0cwzrLUqHWNTZ gIRtTidM5cNyP5y378VKGxT88ic6spVv31wffQOKow5jmlujSJhcoJqy+HQH5XKUyD/N d1E23hN5uUtCnwhrd1Qnm8NWvh/HP22mzj+/LN61ROXcTE3ty/woLzR2DASAEnMQmbGe ZrWy+MN4950xSrwWOThsapIcVvOGp6NuFrzoenQFLpx2ebGRjxD/J0NrBjat8NdReN8R KO8A== X-Gm-Message-State: AOAM530uqtbfVPAFz7vADJc1mHuHby5U/PhkGUPcUq+JTedlXIucvnul VYXdoC+hqjvSpPJiOP6nG03F/lvu8zY= X-Received: by 2002:a19:2355:: with SMTP id j82mr1914155lfj.36.1603539267465; Sat, 24 Oct 2020 04:34:27 -0700 (PDT) Received: from [192.168.1.112] (88-114-211-119.elisa-laajakaista.fi. [88.114.211.119]) by smtp.gmail.com with ESMTPSA id y24sm411089lfy.194.2020.10.24.04.34.24 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 24 Oct 2020 04:34:26 -0700 (PDT) Subject: Re: BTI interaction between seccomp filters in systemd and glibc mprotect calls, causing service failures To: Salvatore Mesoraca Cc: Kees Cook , Szabolcs Nagy , Jeremy Linton , "linux-arm-kernel@lists.infradead.org" , libc-alpha@sourceware.org, systemd-devel@lists.freedesktop.org, "linux-kernel@vger.kernel.org" , Mark Rutland , Mark Brown , Dave Martin , Catalin Marinas , Will Deacon , Kernel Hardening , linux-hardening@vger.kernel.org References: <8584c14f-5c28-9d70-c054-7c78127d84ea@arm.com> <20201022075447.GO3819@arm.com> <78464155-f459-773f-d0ee-c5bdbeb39e5d@gmail.com> <202010221256.A4F95FD11@keescook> <180cd894-d42d-2bdb-093c-b5360b0ecb1e@gmail.com> From: Topi Miettinen Message-ID: <3cb894d4-049f-aa25-4450-d1df36a1b92e@gmail.com> Date: Sat, 24 Oct 2020 14:34:06 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 23.10.2020 20.52, Salvatore Mesoraca wrote: > Hi, > > On Thu, 22 Oct 2020 at 23:24, Topi Miettinen wrote: >> SARA looks interesting. What is missing is a prctl() to enable all W^X >> protections irrevocably for the current process, then systemd could >> enable it for services with MemoryDenyWriteExecute=yes. > > SARA actually has a procattr[0] interface to do just that. > There is also a library[1] to help using it. That means that /proc has to be available and writable at that point, so setting up procattrs has to be done before mount namespaces are set up. In general, it would be nice for sandboxing facilities in kernel if there would be a way to start enforcing restrictions only at next execve(), like setexeccon() for SELinux and aa_change_onexec() for AppArmor. Otherwise the exact order of setting up various sandboxing options can be very tricky to arrange correctly, since each option may have a subtle effect to the sandboxing features enabled later. In case of SARA, the operations done between shuffling the mount namespace and before execve() shouldn't be affected so it isn't important. Even if it did (a new sandboxing feature in the future would need trampolines or JIT code generation), maybe the procattr file could be opened early but it could be written closer to execve(). -Topi