Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp1165181pxb; Wed, 4 Nov 2020 01:31:37 -0800 (PST) X-Google-Smtp-Source: ABdhPJxAcLEtXpjS56WK30kgKiqn+0okZryq8h+BSeMcsmfMDtphqPnumuLoqxYbiBD/Nr2mcY0m X-Received: by 2002:a17:906:491a:: with SMTP id b26mr10718360ejq.385.1604482296931; Wed, 04 Nov 2020 01:31:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604482296; cv=none; d=google.com; s=arc-20160816; b=fhUt4h0bc4i3tIL5zMpuHFTNl2SxyIe5p4y9tMyf5rqVMGkjGBjJEXviOanYHj1p62 yE0abZcStbQUQHQyoQEb7dTJKjnEUuYjgQ163P1Ohm+f+QKxCocnUJvWPXpFVQSruYfL fJoxndmVIMjgw/dw5W14uWl9VY5EHoRPI7M0/HZy+r0FSQ89B29SRiOFF3Cu/Abl8DbV ThOGwPnLCLqI5HYmlCbfk2OE8CCosg1yILdtJLnedv2K9SGC+khW/BbHfaLik8Z97QyJ cVcwWF7De5ZADjL/E9o5biBvk0sxXFhmCcRm6yXVrQGKSdiVpPtGl/y4Ci4Zfl2lT0td vwbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:message-id:in-reply-to:date:references:subject:cc:to :from:dkim-signature; bh=sNIUH/NWHkFHY64VfaawTYBDidvMrnoULy11KAx4HxE=; b=Tg29rMzP6+UTUt/Q8l9vlNhzYJ5ZFi5Jheab9oq9SC4+7jyBiHaW4uj4DqRQWqKF7V Cv3FvXJ8eVSvpTRM58LIvYJLGDHZRXeOIGXU1/jJtNHc5dCubxz5Wc5u93Q7H+Lze097 N66VeGFdumIM7RAMCE+XYt4KTOfhoIYk9pMNQ/zpk7IUA+U5fSgeSPRqmlN4Uj950sb9 v2rKmqv1pOMo8KPHR2mQGUSp+huTYMwIg8d5H5ekWXbuCPPtjo0MPNpAR4bEuQ1hsKN8 ZpI4zrYJCdKXKJ1ZbW/y4PhpezgbYixhrzpL5dY/tFbrmdMK5kZfxF57Ays0yJMS9aVc o+5w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Hm0dasHD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b11si1131093ejz.263.2020.11.04.01.31.14; Wed, 04 Nov 2020 01:31:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=Hm0dasHD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728228AbgKDJ3m (ORCPT + 99 others); Wed, 4 Nov 2020 04:29:42 -0500 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:48306 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726434AbgKDJ3l (ORCPT ); Wed, 4 Nov 2020 04:29:41 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1604482180; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sNIUH/NWHkFHY64VfaawTYBDidvMrnoULy11KAx4HxE=; b=Hm0dasHDJho2bdaEvbHeeA4fvJqotcGLTfhaz5pda27RyAM9jSl5mqDxmiTBOKTXv/xIek ih+3ptMrScXvhERZAnD66JwxJOqBjfi9GPgtypKYh39lHoDK3n7oDY7osOx7uh19vZwrh8 lOG0b7cWm6PGUkuV5JV3sZ8rKs5r8RA= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-513-SFfYKSFfNCypDyaQQ8tYwQ-1; Wed, 04 Nov 2020 04:29:37 -0500 X-MC-Unique: SFfYKSFfNCypDyaQQ8tYwQ-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 465421009E2F; Wed, 4 Nov 2020 09:29:35 +0000 (UTC) Received: from oldenburg2.str.redhat.com (ovpn-113-12.ams2.redhat.com [10.36.113.12]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D02D65D9CC; Wed, 4 Nov 2020 09:29:31 +0000 (UTC) From: Florian Weimer To: Will Deacon Cc: Mark Brown , Szabolcs Nagy , libc-alpha@sourceware.org, Jeremy Linton , Catalin Marinas , Mark Rutland , Kees Cook , Salvatore Mesoraca , Lennart Poettering , Topi Miettinen , linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com, linux-hardening@vger.kernel.org Subject: Re: [PATCH 0/4] aarch64: avoid mprotect(PROT_BTI|PROT_EXEC) [BZ #26831] References: <20201103173438.GD5545@sirena.org.uk> <20201104092012.GA6439@willie-the-truck> Date: Wed, 04 Nov 2020 10:29:29 +0100 In-Reply-To: <20201104092012.GA6439@willie-the-truck> (Will Deacon's message of "Wed, 4 Nov 2020 09:20:12 +0000") Message-ID: <87h7q54ghy.fsf@oldenburg2.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org * Will Deacon: > Is there real value in this seccomp filter if it only looks at mprotect(), > or was it just implemented because it's easy to do and sounds like a good > idea? It seems bogus to me. Everyone will just create alias mappings instead, just like they did for the similar SELinux feature. See =E2=80=9CExample c= ode to avoid execmem violations=E2=80=9D in: As you can see, this reference implementation creates a PROT_WRITE mapping aliased to a PROT_EXEC mapping, so it actually reduces security compared to something that generates the code in an anonymous mapping and calls mprotect to make it executable. Furthermore, it requires unusual cache flushing code on some AArch64 implementations (a requirement that is not shared by any Linux other architecture to which libffi has been ported), resulting in hard-to-track-down real-world bugs. Thanks, Florian --=20 Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'N= eill