From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B2C5DC47082 for ; Tue, 8 Jun 2021 15:42:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 917F46128E for ; Tue, 8 Jun 2021 15:42:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231826AbhFHPok (ORCPT ); Tue, 8 Jun 2021 11:44:40 -0400 Received: from foss.arm.com ([217.140.110.172]:33942 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231165AbhFHPoj (ORCPT ); Tue, 8 Jun 2021 11:44:39 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 4E847D6E; Tue, 8 Jun 2021 08:42:46 -0700 (PDT) Received: from [192.168.122.166] (unknown [172.31.20.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id F1ACF3F73D; Tue, 8 Jun 2021 08:42:45 -0700 (PDT) Subject: Re: [PATCH v1 2/2] arm64: Enable BTI for main executable as well as the interpreter To: Dave Martin , Mark Brown Cc: Catalin Marinas , linux-arch@vger.kernel.org, libc-alpha@sourceware.org, Szabolcs Nagy , Will Deacon , linux-arm-kernel@lists.infradead.org References: <20210521144621.9306-1-broonie@kernel.org> <20210521144621.9306-3-broonie@kernel.org> <20210603154034.GH4187@arm.com> <20210603165134.GF4257@sirena.org.uk> <20210603180429.GI20338@arm.com> <20210607112536.GI4187@arm.com> <20210607181212.GD17957@arm.com> <20210608113318.GA4200@sirena.org.uk> <20210608151914.GJ4187@arm.com> From: Jeremy Linton Message-ID: <2318f36a-0b81-0e6c-cf6e-ce4167471c82@arm.com> Date: Tue, 8 Jun 2021 10:42:41 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 MIME-Version: 1.0 In-Reply-To: <20210608151914.GJ4187@arm.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-arch@vger.kernel.org On 6/8/21 10:19 AM, Dave Martin wrote: > On Tue, Jun 08, 2021 at 12:33:18PM +0100, Mark Brown via Libc-alpha wrote: >> On Mon, Jun 07, 2021 at 07:12:13PM +0100, Catalin Marinas wrote: >> >>> I don't think we can document all the filters that can be added on top >>> various syscalls, so I'd leave it undocumented (or part of the systemd >>> documentation). It was a user space program (systemd) breaking another >>> user space program (well, anything with a new enough glibc). The kernel >>> ABI was still valid when /sbin/init started ;). >> >> Indeed. I think from a kernel point of view the main thing is to look >> at why userspace feels the need to do things like this and see if >> there's anything we can improve or do better with in future APIs, part >> of the original discussion here was figuring out that there's not really >> any other reasonable options for userspace to implement this check at >> the minute. > > Ack, that would be my policy -- just wanted to make it explicit. > It would be good if there were better dialogue between the systemd > and kernel folks on this kind of thing. > > SECCOMP makes it rather easy to (attempt to) paper over kernel/user API > design problems, which probably reduces the chance of the API ever being > fixed properly, if we're not careful... Well IMHO the problem is larger than just BTI here, what systemd is trying to do by fixing the exec state of a service is admirable but its a 90% solution without the entire linker/loader being in a more privileged context. While BTI makes finding a generic gadget that can call mprotect harder, it still seems like it might just be a little too easy. The secomp filter is providing a nice bonus by removing the ability to disable BTI via mprotect without also disabling X. So without moving more of the linker into the kernel its hard to see how one can really lock down X only pages. Anyway, i'm testing this on rawhide now. Thanks! From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.4 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 42DD8C47082 for ; Tue, 8 Jun 2021 15:44:36 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 125C660698 for ; Tue, 8 Jun 2021 15:44:36 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 125C660698 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:Content-Type: Content-Transfer-Encoding:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:Date:Message-ID:From: References:Cc:To:Subject:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=h8JMRGQNHagsCO+2rE/+/QjN0+NR4PoNNrA6uy09h/w=; b=zAhAtjPiqkvxYZRtWYfYDNJxjg /iU+OL4o0kgzoKusM7YJnqsBKoLKLQRgRbdDHX4jPOPlaHoJmBpzWg/HknCfbll65C45KF0Z3MzJ6 n/lW77dCS0su5PCTmWrU1c18uFLdmmxi9osobzQ75LAF+bb9lkupcy0VHRipgSDAunRJse2aV2IPF 2C99zuYi4/SkT8nv9AkPqnGxOaNTn0vsyZLC7c7r3d7IlW1REWfDKIGs2hkBH1KOqWTysH/fcEI76 VYNd1SmsXG/DARpzydsn8sF/SpDjwFz/v9IPkSSNBalgIXGD/ww60eKKNFv3qEbEdmZyAtaCKTxt5 DeB1KThA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1lqdsT-009IUp-OV; Tue, 08 Jun 2021 15:42:53 +0000 Received: from foss.arm.com ([217.140.110.172]) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1lqdsQ-009ITa-84 for linux-arm-kernel@lists.infradead.org; Tue, 08 Jun 2021 15:42:51 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 4E847D6E; Tue, 8 Jun 2021 08:42:46 -0700 (PDT) Received: from [192.168.122.166] (unknown [172.31.20.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id F1ACF3F73D; Tue, 8 Jun 2021 08:42:45 -0700 (PDT) Subject: Re: [PATCH v1 2/2] arm64: Enable BTI for main executable as well as the interpreter To: Dave Martin , Mark Brown Cc: Catalin Marinas , linux-arch@vger.kernel.org, libc-alpha@sourceware.org, Szabolcs Nagy , Will Deacon , linux-arm-kernel@lists.infradead.org References: <20210521144621.9306-1-broonie@kernel.org> <20210521144621.9306-3-broonie@kernel.org> <20210603154034.GH4187@arm.com> <20210603165134.GF4257@sirena.org.uk> <20210603180429.GI20338@arm.com> <20210607112536.GI4187@arm.com> <20210607181212.GD17957@arm.com> <20210608113318.GA4200@sirena.org.uk> <20210608151914.GJ4187@arm.com> From: Jeremy Linton Message-ID: <2318f36a-0b81-0e6c-cf6e-ce4167471c82@arm.com> Date: Tue, 8 Jun 2021 10:42:41 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 MIME-Version: 1.0 In-Reply-To: <20210608151914.GJ4187@arm.com> Content-Language: en-US X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210608_084250_369969_0826AC92 X-CRM114-Status: GOOD ( 22.11 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 6/8/21 10:19 AM, Dave Martin wrote: > On Tue, Jun 08, 2021 at 12:33:18PM +0100, Mark Brown via Libc-alpha wrote: >> On Mon, Jun 07, 2021 at 07:12:13PM +0100, Catalin Marinas wrote: >> >>> I don't think we can document all the filters that can be added on top >>> various syscalls, so I'd leave it undocumented (or part of the systemd >>> documentation). It was a user space program (systemd) breaking another >>> user space program (well, anything with a new enough glibc). The kernel >>> ABI was still valid when /sbin/init started ;). >> >> Indeed. I think from a kernel point of view the main thing is to look >> at why userspace feels the need to do things like this and see if >> there's anything we can improve or do better with in future APIs, part >> of the original discussion here was figuring out that there's not really >> any other reasonable options for userspace to implement this check at >> the minute. > > Ack, that would be my policy -- just wanted to make it explicit. > It would be good if there were better dialogue between the systemd > and kernel folks on this kind of thing. > > SECCOMP makes it rather easy to (attempt to) paper over kernel/user API > design problems, which probably reduces the chance of the API ever being > fixed properly, if we're not careful... Well IMHO the problem is larger than just BTI here, what systemd is trying to do by fixing the exec state of a service is admirable but its a 90% solution without the entire linker/loader being in a more privileged context. While BTI makes finding a generic gadget that can call mprotect harder, it still seems like it might just be a little too easy. The secomp filter is providing a nice bonus by removing the ability to disable BTI via mprotect without also disabling X. So without moving more of the linker into the kernel its hard to see how one can really lock down X only pages. Anyway, i'm testing this on rawhide now. Thanks! _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel