Received: by 2002:a05:6a10:16a7:0:0:0:0 with SMTP id gp39csp1573519pxb; Wed, 4 Nov 2020 12:37:27 -0800 (PST) X-Google-Smtp-Source: ABdhPJz8fOvPvs4jfdetv3YRO71MZ85AMXvAEnGnMW8LYG58U0VA+SToLD0FoKmrWoqMTyXms3rD X-Received: by 2002:a17:906:c288:: with SMTP id r8mr14091827ejz.35.1604522247281; Wed, 04 Nov 2020 12:37:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1604522247; cv=none; d=google.com; s=arc-20160816; b=KHWfB595+ce0i9LowSW+8OVm+lLo1HxpYSCAwVHscxVWH/oJ8Hv/zykHJ96CaGKCkF SauH1bgmGlX0XgKh+DCCTcjvvEKkvGX0idhJ5UuuWG0Q00D4ezVoHtk7yGCpEn4YJytQ IwbR+sauurYwKMTYJaJOPy/YcKY/1vGrwHQU4sd6JB7L4m0H6cUgdbFbHNZhS3/2nPI0 zR5MbQ7cS/BG6nTb5JAfyeNW8QsrLiwUOt4DiDLXIUs71PXaYa0RXCEcE60QDCHyeWO6 lk36C+JoH1A4JG5CWZsQGKupfEjNcEXsGbesmeBDxlxW3e7rpqeW4hbEdJtB7CO7PNWC 72Vw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=3k8PKZh+A31ycJmfrWf9CB+O15WvqpVX5p2CyrCXoMw=; b=CeRrsNT4zpXlDJFk7PyTAFEtjO4upDQ/Gy2THQ/NQrOz9iYGI4L02/S8E0FuOqVO+6 IGwyn90Px3qgic3e1ePfSN1ufrBGkv0QctYk2FZvlLa9Kgd7fHx6EJokYpL4j7h1OF7V qpkDKlGmS9qxrbHsZ+yVwKOKrmeW4jRAWGfwNm+D3LErittxbTNpsumTmxQkqEP5yhdk a/v3xOu8UEd49f26D/d+SLIrByDSZJg+fvMvs54QILFhNOugGuKe1l1hgkmTxRgFHjJo hBHPtk5O8fi1Rpblv9onD6D4Kwqaef7geboZqlmlMzkFsQdol0PLFMJF1OplkFKLv89A r5sw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l13si2563943ejg.691.2020.11.04.12.37.04; Wed, 04 Nov 2020 12:37:27 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731554AbgKDSrO (ORCPT + 99 others); Wed, 4 Nov 2020 13:47:14 -0500 Received: from foss.arm.com ([217.140.110.172]:42154 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726737AbgKDSrM (ORCPT ); Wed, 4 Nov 2020 13:47:12 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 40FF114BF; Wed, 4 Nov 2020 10:47:11 -0800 (PST) Received: from [192.168.122.166] (unknown [172.31.20.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 77B623F718; Wed, 4 Nov 2020 10:47:10 -0800 (PST) Subject: Re: [PATCH 0/4] aarch64: avoid mprotect(PROT_BTI|PROT_EXEC) [BZ #26831] To: Mark Brown Cc: Szabolcs Nagy , libc-alpha@sourceware.org, Catalin Marinas , Mark Rutland , Will Deacon , Florian Weimer , Kees Cook , Salvatore Mesoraca , Lennart Poettering , Topi Miettinen , linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, kernel-hardening@lists.openwall.com, linux-hardening@vger.kernel.org References: <20201103173438.GD5545@sirena.org.uk> <8c99cc8e-41af-d066-b786-53ac13c2af8a@arm.com> <20201104105058.GA4812@sirena.org.uk> From: Jeremy Linton Message-ID: <8c2d08a7-5595-6221-8da8-a7cbf6e1d493@arm.com> Date: Wed, 4 Nov 2020 12:47:09 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.3.1 MIME-Version: 1.0 In-Reply-To: <20201104105058.GA4812@sirena.org.uk> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On 11/4/20 4:50 AM, Mark Brown wrote: > On Tue, Nov 03, 2020 at 11:41:42PM -0600, Jeremy Linton wrote: >> On 11/3/20 11:34 AM, Mark Brown wrote: > >>> Given that there were still some ongoing discussions on a more robust >>> kernel interface here and there seem to be a few concerns with this >>> series should we perhaps just take a step back and disable this seccomp >>> filter in systemd on arm64, at least for the time being? That seems >>> safer than rolling out things that set ABI quickly, a big part of the > >> So, that's a bigger hammer than I think is needed and punishes !BTI >> machines. I'm going to suggest that if we need to carry a temp patch its >> more like the glibc patch I mentioned in the Fedora defect. That patch >> simply logs a message, on the mprotect failures rather than aborting. Its >> fairly non-intrusive. > >> That leaves seccomp functional, and BTI generally functional except when >> seccomp is restricting it. I've also been asked that if a patch like that is >> needed, its (temporary?) merged to the glibc trunk, rather than just being >> carried by the distro's. > > The effect on pre-BTI hardware is an issue, another option would be for > systemd to disable this seccomp usage but only after checking for BTI > support in the system rather than just doing so purely based on the > architecture. > That works, but your also losing seccomp in the case where the machine is BTI capable, but the service isn't. So it should really be checking the elf notes, but at that point you might just as well patch glibc.