Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp466736pxx; Mon, 26 Oct 2020 12:36:09 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz2PFfRoCi0v8zUUUjU95UGLsvg7Bbbua4g137cPM8eJVXJMNUPqHyk9OXDwJLFd7ArkwNm X-Received: by 2002:a17:906:1314:: with SMTP id w20mr17161479ejb.279.1603740969662; Mon, 26 Oct 2020 12:36:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603740969; cv=none; d=google.com; s=arc-20160816; b=BkSfBlVBs5PLeG3eYS66LC+Gnh1+shiLQ/Teaff1jkSjYAT6oVZSpikvjUAtSXl5Ty DvP5sNiEQsbDwrCBFXcPE1TrjIlzk5pjD+3XZrG/v4TMShH4tdmMsGdTHQRcb8zaFkrS pc6AI+B7QooIhvOe/AxhfQ4BdC1pLI/SQmPmNYfpkT2OBffrt5CDi+7oRWrrJQR5F0xE ZYW3fKiGLTsA+oyJ5rV4SldcYTDTDfNtYs32Jq7K9ov6qLc2fX3/3ZIMlzE+A7DJbKBq ny3ABDpAEDU4Htsjc70svbEepGvGd0FyHtv0zrU+exiGYjWwur7npItwrXjYUeEkFbwt 3DNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=KjDsUVjSqyXQM6ublS0h+E5otii05Uc0whepcz0fCdk=; b=YGv/i3bLBMKjMLyXLv2nD11SA3fOl1ZXcOeSpAHFJ+Q4KXhCRuz4jJWPf2kQ6LIEsu 7vncdgRHTb4hqcj6FoDOVjUdfCcNdvn5Xt429SCp7YCbQHwadtd4sBeyjxrOsdg4QM2L ut0obDO4Yq4oyhgOiOH8MsPZc0A+99YCc18xHd2r94aHp17hvFI2/SM/SG/e9yW91KHN BsdHuxnnnRQjzhQ95K9zgPZQJdXrV4Abip4dA4SHKrFAE2hPzJAgwNaA3+S2KZmLcPB4 trHfHx0hv9tX/9OQSoIWKsiXAVa1gEbCc31w8Z/v57VufRhKz4pepBBsc7H1ND7Tgjov ToVg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id dp16si6793514ejc.750.2020.10.26.12.35.46; Mon, 26 Oct 2020 12:36:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1785808AbgJZQYS (ORCPT + 99 others); Mon, 26 Oct 2020 12:24:18 -0400 Received: from foss.arm.com ([217.140.110.172]:44116 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1775757AbgJZQYQ (ORCPT ); Mon, 26 Oct 2020 12:24:16 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id CCF4411FB; Mon, 26 Oct 2020 09:24:15 -0700 (PDT) Received: from arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 62F2E3F719; Mon, 26 Oct 2020 09:24:14 -0700 (PDT) Date: Mon, 26 Oct 2020 16:24:11 +0000 From: Dave Martin To: Jeremy Linton Cc: "linux-arm-kernel@lists.infradead.org" , libc-alpha@sourceware.org, systemd-devel@lists.freedesktop.org, "linux-kernel@vger.kernel.org" , Mark Rutland , Kees Cook , Catalin Marinas , Will Deacon , Mark Brown , toiwoton@gmail.com Subject: Re: BTI interaction between seccomp filters in systemd and glibc mprotect calls, causing service failures Message-ID: <20201026162410.GB27285@arm.com> References: <8584c14f-5c28-9d70-c054-7c78127d84ea@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8584c14f-5c28-9d70-c054-7c78127d84ea@arm.com> User-Agent: Mutt/1.5.23 (2014-03-12) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Oct 21, 2020 at 10:44:46PM -0500, Jeremy Linton via Libc-alpha wrote: > Hi, > > There is a problem with glibc+systemd on BTI enabled systems. Systemd > has a service flag "MemoryDenyWriteExecute" which uses seccomp to deny > PROT_EXEC changes. Glibc enables BTI only on segments which are marked as > being BTI compatible by calling mprotect PROT_EXEC|PROT_BTI. That call is > caught by the seccomp filter, resulting in service failures. > > So, at the moment one has to pick either denying PROT_EXEC changes, or BTI. > This is obviously not desirable. > > Various changes have been suggested, replacing the mprotect with mmap calls > having PROT_BTI set on the original mapping, re-mmapping the segments, > implying PROT_EXEC on mprotect PROT_BTI calls when VM_EXEC is already set, > and various modification to seccomp to allow particular mprotect cases to > bypass the filters. In each case there seems to be an undesirable attribute > to the solution. > > So, whats the best solution? Unrolling this discussion a bit, this problem comes from a few sources: 1) systemd is trying to implement a policy that doesn't fit SECCOMP syscall filtering very well. 2) The program is trying to do something not expressible through the syscall interface: really the intent is to set PROT_BTI on the page, with no intent to set PROT_EXEC on any page that didn't already have it set. This limitation of mprotect() was known when I originally added PROT_BTI, but at that time we weren't aware of a clear use case that would fail. Would it now help to add something like: int mchangeprot(void *addr, size_t len, int old_flags, int new_flags) { int ret = -EINVAL; mmap_write_lock(current->mm); if (all vmas in [addr .. addr + len) have their mprotect flags set to old_flags) { ret = mprotect(addr, len, new_flags); } mmap_write_unlock(current->mm); return ret; } libc would now be able to do mchangeprot(addr, len, PROT_EXEC | PROT_READ, PROT_EXEC | PROT_READ | PROT_BTI); while systemd's MDWX filter would reject the call if (new_flags & PROT_EXEC) && (!(old_flags & PROT_EXEC) || (new_flags & PROT_WRITE) This won't magically fix current code, but something along these lines might be better going forward. Thoughts? ---Dave