Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
MIME-Version: 1.0
References: <20230526132806.1475900-1-nik.borisov@suse.com>
In-Reply-To: <20230526132806.1475900-1-nik.borisov@suse.com>
From:   Brian Gerst <brgerst@gmail.com>
Date:   Fri, 26 May 2023 11:53:31 -0400
Message-ID: <CAMzpN2hpzkjPsP8GChmm=LVoM-_f5qjxE6jc-yWUX=qO8o0TNA@mail.gmail.com>
Subject: Re: [RFC PATCH] x86/entry: Disable ia32 syscalls and introduce a boot
 time toggle
To:     Nikolay Borisov <nik.borisov@suse.com>
Cc:     x86@kernel.org, linux-kernel@vger.kernel.org, mhocko@suse.cz
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Precedence: bulk

On Fri, May 26, 2023 at 9:50=E2=80=AFAM Nikolay Borisov <nik.borisov@suse.c=
om> wrote:
>
> Distributions would like to reduce their attack surface as much as
> possible but at the same time they have to cater to a wide variety of
> legacy software. One such avenue where distros have to strike a balance
> is the support for 32bit syscalls on a 64bit kernel. Ideally the compat
> support should be disabled for the majority of the time, yet in the few
> cases where it might be needed it'd be good if there is some toggle
> which would allow users to turn on back compat support.
>
> This patch aims to cater for this use case by disabling ia32 syscalls
> and introducing a boot time parameter 'ia32_enabled' which if set to
> 'true' brings backs 32bit syscall support.
>
> Signed-off-by: Nikolay Borisov <nik.borisov@suse.com>
> ---
>
> Rather than being a final implementation I'd like this to serve as a conv=
ersation
> starter and agree on a final solution that's acceptable to everyone.
>
>  arch/x86/entry/common.c | 17 ++++++++++++++++-
>  1 file changed, 16 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/entry/common.c b/arch/x86/entry/common.c
> index 6c2826417b33..6063727a75fe 100644
> --- a/arch/x86/entry/common.c
> +++ b/arch/x86/entry/common.c
> @@ -19,6 +19,7 @@
>  #include <linux/nospec.h>
>  #include <linux/syscalls.h>
>  #include <linux/uaccess.h>
> +#include <linux/init.h>
>
>  #ifdef CONFIG_XEN_PV
>  #include <xen/xen-ops.h>
> @@ -96,6 +97,20 @@ static __always_inline int syscall_32_enter(struct pt_=
regs *regs)
>         return (int)regs->orig_ax;
>  }
>
> +int ia32_enabled =3D 0;
> +
> +static int __init ia32_enabled_parsecmdline(char *arg)
> +{
> +       if (!strcmp(arg, "true"))
> +               ia32_enabled =3D 1;
> +       else
> +               pr_crit("Unsupported ia32_enabled=3D%s, ia32 syscalls dis=
abled\n",
> +                       arg);
> +
> +       return 0;
> +}
> +early_param("ia32_enabled", ia32_enabled_parsecmdline);
> +
>  /*
>   * Invoke a 32-bit syscall.  Called with IRQs on in CONTEXT_KERNEL.
>   */
> @@ -107,7 +122,7 @@ static __always_inline void do_syscall_32_irqs_on(str=
uct pt_regs *regs, int nr)
>          */
>         unsigned int unr =3D nr;
>
> -       if (likely(unr < IA32_NR_syscalls)) {
> +       if (likely(unr < IA32_NR_syscalls) && ia32_enabled) {
>                 unr =3D array_index_nospec(unr, IA32_NR_syscalls);
>                 regs->ax =3D ia32_sys_call_table[unr](regs);
>         } else if (nr !=3D -1) {
> --
> 2.34.1
>

Compat syscalls should be enabled by default (opt-out).  You can't
break a user's working setup by just upgrading the kernel.  Also, it
needs to work for 32-bit kernels, since this code is used by both
native and compat.