Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp620022pxx; Mon, 26 Oct 2020 17:08:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzAV9wx5LnO2eHNLukqyfdUNsf1DR55fI7cjatIHgqVoYNSqMxueeiLtcl7bn4VpRSm5WTF X-Received: by 2002:a05:6402:2073:: with SMTP id bd19mr17771088edb.127.1603757290467; Mon, 26 Oct 2020 17:08:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603757290; cv=none; d=google.com; s=arc-20160816; b=OhCIWkQVqd+u17aJDR4lW100JvOboJpcbuEPFywScaKfM2d4m8we/HPXMO4pvvOIYk QI7zCl0Wc7qsmRvwYgr+2cb7ssHDce1EAuZSLKKgmzDngZrg4lsX3odjWhQYlqyfZKDC gS6u7w7Rv3FyH3hHU/znyAdbNX6gP9hplccq2opnES2/6Iw/XoxHc2RnJIRwvRtpjJi1 Cg2+Lk0s8AvI+yC1LR2VLrdU6WecmX2v4OROnWgA3VCE1Fpc2q6pwbuxffhF+To9GlMy WYiHgBKTqE13Y/ntpx8bV5/ZbUYxDpnEQ5wk9wN9ym9/kyIkTuya+FsT8FSHleG62wc/ YW4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=HHB4OmcXIkgfFyIrvmSm+fTZwXH+4XTZantX5DY9Pmo=; b=PYxb6K5a84jQJ+J09k/y5tJ8A0uy8XEaX0vmjpeXui9zUjPXTU5huMsoE3zNJjTxi3 Ppg/faPasvaIgEYEznq0SAa+kgoAoeTdlFyDmy8/eQ9Yokdo70HXBgvtG5LokYgVchgN ipsAM49KeIhfeZ7mBkwHz/vicsACEY6yWLmROiwfr9gt6PPuvt0GNk04JcNwRw4fRACY mWJ5dtmUNuPxJHsE3aYsqO87JaV15fZebLsM90L4V0E3Z/bHBOFdV0aycP8QGK804PRs LaxCwV1JgJlpAn35YC3GPD9QhbDU3nMFZObQwfd3MMCwKM8mKztYVSQ+BZzxll/gsR6g zSvQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c8si7897885edl.252.2020.10.26.17.07.48; Mon, 26 Oct 2020 17:08:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2394603AbgJZWjt (ORCPT + 99 others); Mon, 26 Oct 2020 18:39:49 -0400 Received: from foss.arm.com ([217.140.110.172]:54016 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730294AbgJZWjt (ORCPT ); Mon, 26 Oct 2020 18:39:49 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 4EB0C30E; Mon, 26 Oct 2020 15:39:43 -0700 (PDT) Received: from [192.168.122.166] (unknown [172.31.20.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id BD7DE3F68F; Mon, 26 Oct 2020 15:39:42 -0700 (PDT) Subject: Re: BTI interaction between seccomp filters in systemd and glibc mprotect calls, causing service failures To: Dave Martin , Szabolcs Nagy Cc: Mark Rutland , systemd-devel@lists.freedesktop.org, Kees Cook , Catalin Marinas , Will Deacon , "linux-kernel@vger.kernel.org" , Mark Brown , toiwoton@gmail.com, libc-alpha@sourceware.org, "linux-arm-kernel@lists.infradead.org" References: <8584c14f-5c28-9d70-c054-7c78127d84ea@arm.com> <20201026162410.GB27285@arm.com> <20201026165755.GV3819@arm.com> <20201026175230.GC27285@arm.com> From: Jeremy Linton Message-ID: <45c64b49-a38b-4b0c-d9cf-6c586dacbcc9@arm.com> Date: Mon, 26 Oct 2020 17:39:42 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.3.1 MIME-Version: 1.0 In-Reply-To: <20201026175230.GC27285@arm.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On 10/26/20 12:52 PM, Dave Martin wrote: > On Mon, Oct 26, 2020 at 04:57:55PM +0000, Szabolcs Nagy via Libc-alpha wrote: >> The 10/26/2020 16:24, Dave Martin via Libc-alpha wrote: >>> Unrolling this discussion a bit, this problem comes from a few sources: >>> >>> 1) systemd is trying to implement a policy that doesn't fit SECCOMP >>> syscall filtering very well. >>> >>> 2) The program is trying to do something not expressible through the >>> syscall interface: really the intent is to set PROT_BTI on the page, >>> with no intent to set PROT_EXEC on any page that didn't already have it >>> set. >>> >>> >>> This limitation of mprotect() was known when I originally added PROT_BTI, >>> but at that time we weren't aware of a clear use case that would fail. >>> >>> >>> Would it now help to add something like: >>> >>> int mchangeprot(void *addr, size_t len, int old_flags, int new_flags) >>> { >>> int ret = -EINVAL; >>> mmap_write_lock(current->mm); >>> if (all vmas in [addr .. addr + len) have >>> their mprotect flags set to old_flags) { >>> >>> ret = mprotect(addr, len, new_flags); >>> } >>> >>> mmap_write_unlock(current->mm); >>> return ret; >>> } >> >> if more prot flags are introduced then the exact >> match for old_flags may be restrictive and currently >> there is no way to query these flags to figure out >> how to toggle one prot flag in a future proof way, >> so i don't think this solves the issue completely. > > Ack -- I illustrated this model because it makes the seccomp filter's > job easy, but it does have limitations. > >> i think we might need a new api, given that aarch64 >> now has PROT_BTI and PROT_MTE while existing code >> expects RWX only, but i don't know what api is best. > > An alternative option would be a call that sets / clears chosen > flags and leaves others unchanged. I tend to favor a set/clear API, but that could also just be done by creating a new PROT_BTI_IF_X which enables BTI for areas already set to _EXEC. That goes right by the seccomp filters too, and actually is closer to what glibc wants to do anyway. > > The trouble with that is that the MDWX policy then becomes hard to > implement again. > > > But policies might be best set via another route, such as a prctl, > rather than being implemented completely in a seccomp filter. > > Cheers > ---Dave >