Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp1344469pxb; Wed, 4 Nov 2020 06:37:31 -0800 (PST) X-Google-Smtp-Source: ABdhPJyBTTMcHQeIyyTpsh6MrWF9Uvlf+hPvkieKIXnS/Fbgq38KEQFRMZQYMt+7gevfRNFHGUgP X-Received: by 2002:a17:906:c357:: with SMTP id ci23mr6498154ejb.311.1604500651344; Wed, 04 Nov 2020 06:37:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604500651; cv=none; d=google.com; s=arc-20160816; b=FHjk7tdiVYd+svzBxx04457x5khLAk60GTSs/T/zTOM0IQuZzEEvv5VqUOOLeBAWR3 UrMqdvRI+UcK6PD5PhVANyR8tsHTnEgvnh/gqWR8nuWcEyFaAwjnzBZyDW5oHsF5U4Fq AEvt0fLznteEkYqB2lpXzdQ1qldzaiY1i7AxL1YqcoG7N+xfLJv8x3h6zwWp0MPoEqtH TNQEBmX4KJf5xCW+ydLz5Xp5tE4oXdClMCNOjtvLDLCX3B5ZOHs20N8TgajSGO6O2Mlr G7Boi5V1UwAxt9fLqQSpztI+5Az8KS5BnDHFn2+EC1VBBDad075G1SLRAffKtuVLEY9f anow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=dzwSiMra2C6Gu4GmUXu7lPevi++8z/L5AxuM7aw/Q80=; b=ZsgIhOcKtdLf0XlrXTTtLAMvDDwin+i2Y/ynN8uL1CLzOl2VVszDjqPtHCcCNGQ5/e fw06UhkJ1p4UN5ss1kJENL9YxJNmTUPKNeBPoot1hs6XWeWXp/YFl3q9hDs+jbuDZjQk CkhYX1CdQWbGYIQBTYVemCo38NIVLuCnSeEReKt4t2cDGcDVz6uv5EMS0F3VlrYZ+hd6 BrJFLLhZzumHfnwb8+nDjOLTWS+6jGAUFPUWaAx6yx7hRc1jpFGCGJ5TvfpAf3ijcRtO MKDymxHUmimq5LgfzpGNxTcCJHuBUX/osPmi9K1QBoybcRM3x8eU1VcVZRdp2N2tHwpF 1m2g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o10si404915ejg.80.2020.11.04.06.37.08; Wed, 04 Nov 2020 06:37:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726944AbgKDOfI (ORCPT + 99 others); Wed, 4 Nov 2020 09:35:08 -0500 Received: from mail.kernel.org ([198.145.29.99]:43428 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726608AbgKDOfI (ORCPT ); Wed, 4 Nov 2020 09:35:08 -0500 Received: from gaia (unknown [2.26.170.190]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B32CF20709; Wed, 4 Nov 2020 14:35:03 +0000 (UTC) Date: Wed, 4 Nov 2020 14:35:00 +0000 From: Catalin Marinas To: Topi Miettinen Cc: Florian Weimer , Will Deacon , Mark Brown , Szabolcs Nagy , libc-alpha@sourceware.org, Jeremy Linton , Mark Rutland , Kees Cook , Salvatore Mesoraca , Lennart Poettering , linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com, linux-hardening@vger.kernel.org Subject: Re: [PATCH 0/4] aarch64: avoid mprotect(PROT_BTI|PROT_EXEC) [BZ #26831] Message-ID: <20201104143500.GC28902@gaia> References: <20201103173438.GD5545@sirena.org.uk> <20201104092012.GA6439@willie-the-truck> <87h7q54ghy.fsf@oldenburg2.str.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 04, 2020 at 11:55:57AM +0200, Topi Miettinen wrote: > On 4.11.2020 11.29, Florian Weimer wrote: > > * Will Deacon: > > > > > Is there real value in this seccomp filter if it only looks at mprotect(), > > > or was it just implemented because it's easy to do and sounds like a good > > > idea? > > > > It seems bogus to me. Everyone will just create alias mappings instead, > > just like they did for the similar SELinux feature. See “Example code > > to avoid execmem violations” in: > > > > [...] > > As you can see, this reference implementation creates a PROT_WRITE > > mapping aliased to a PROT_EXEC mapping, so it actually reduces security > > compared to something that generates the code in an anonymous mapping > > and calls mprotect to make it executable. [...] > If a service legitimately needs executable and writable mappings (due to > JIT, trampolines etc), it's easy to disable the filter whenever really > needed with "MemoryDenyWriteExecute=no" (which is the default) in case of > systemd or a TE rule like "allow type_t self:process { execmem };" for > SELinux. But this shouldn't be the default case, since there are many > services which don't need W&X. I think Drepper's point is that separate X and W mappings, with enough randomisation, would be more secure than allowing W&X at the same address (but, of course, less secure than not having W at all, though that's not always possible). > I'd also question what is the value of BTI if it can be easily circumvented > by removing PROT_BTI with mprotect()? Well, BTI is a protection against JOP attacks. The assumption here is that an attacker cannot invoke mprotect() to disable PROT_BTI. If it can, it's probably not worth bothering with a subsequent JOP attack, it can already call functions directly. I see MDWX not as a way of detecting attacks but rather plugging inadvertent security holes in certain programs. On arm64, such hardening currently gets in the way of another hardening feature, BTI. -- Catalin