From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B8D05C4363A for ; Sat, 24 Oct 2020 11:34:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7C48521D43 for ; Sat, 24 Oct 2020 11:34:33 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mqiOOs7T" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1761165AbgJXLec (ORCPT ); Sat, 24 Oct 2020 07:34:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54952 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1759684AbgJXLeb (ORCPT ); Sat, 24 Oct 2020 07:34:31 -0400 Received: from mail-lf1-x143.google.com (mail-lf1-x143.google.com [IPv6:2a00:1450:4864:20::143]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3BAE8C0613CE; Sat, 24 Oct 2020 04:34:29 -0700 (PDT) Received: by mail-lf1-x143.google.com with SMTP id j30so5354689lfp.4; Sat, 24 Oct 2020 04:34:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=IoKvQwjpmgnwDqwDMU0dzPR0LnLnshRSMNK/AI0kcxw=; b=mqiOOs7TyvklH3y6Ood3stRdGCXNjS2vgVdrSrZQ2N5rvNmXE4ypAGwbOH+pu5ZkZU cLFinzJ8s1Tc1dBlP3n6K9U1vTiiudbu4H1PwQEoeFI7WihRODKM6wJlcI16HoaXOosR PQtOWyYZ5vxd3flAAaj+Fgat/sdOALkni45sy0aydIfRvlwxm3dwa0l5WDx3QP/dG3y6 pYy6zdGvNsP3Z9aeTINusM1N7KGKTk/bljhK8h8j6gQ8iHYyydmfoS0E2Io29bJlsvT5 ZfDv1jpttgUuhifKJENIVwPfjjhn0XCWIAk65JMYKL0UIJotL4bcojoT7g08pknvpe9X BBhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=IoKvQwjpmgnwDqwDMU0dzPR0LnLnshRSMNK/AI0kcxw=; b=Do0myV1lQhGsRpBq6dZweldI5RIXrfMStYdTrqYeWSnK0RleWmurBZJiFA9oU8KTVe ftSaceYAEfo3HuLfsJDj6KabDvDeyA+BQKZ/DWJhKm/RkWSj0ra8NGl0cwzrLUqHWNTZ gIRtTidM5cNyP5y378VKGxT88ic6spVv31wffQOKow5jmlujSJhcoJqy+HQH5XKUyD/N d1E23hN5uUtCnwhrd1Qnm8NWvh/HP22mzj+/LN61ROXcTE3ty/woLzR2DASAEnMQmbGe ZrWy+MN4950xSrwWOThsapIcVvOGp6NuFrzoenQFLpx2ebGRjxD/J0NrBjat8NdReN8R KO8A== X-Gm-Message-State: AOAM530uqtbfVPAFz7vADJc1mHuHby5U/PhkGUPcUq+JTedlXIucvnul VYXdoC+hqjvSpPJiOP6nG03F/lvu8zY= X-Google-Smtp-Source: ABdhPJzwvsaTluGQK36qa7V3CiVSFtEKeTqt9O3nz3uBAt8xGRnoa/SVo39MAjPgTAB/taz96NuywQ== X-Received: by 2002:a19:2355:: with SMTP id j82mr1914155lfj.36.1603539267465; Sat, 24 Oct 2020 04:34:27 -0700 (PDT) Received: from [192.168.1.112] (88-114-211-119.elisa-laajakaista.fi. [88.114.211.119]) by smtp.gmail.com with ESMTPSA id y24sm411089lfy.194.2020.10.24.04.34.24 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 24 Oct 2020 04:34:26 -0700 (PDT) Subject: Re: BTI interaction between seccomp filters in systemd and glibc mprotect calls, causing service failures To: Salvatore Mesoraca Cc: Kees Cook , Szabolcs Nagy , Jeremy Linton , "linux-arm-kernel@lists.infradead.org" , libc-alpha@sourceware.org, systemd-devel@lists.freedesktop.org, "linux-kernel@vger.kernel.org" , Mark Rutland , Mark Brown , Dave Martin , Catalin Marinas , Will Deacon , Kernel Hardening , linux-hardening@vger.kernel.org References: <8584c14f-5c28-9d70-c054-7c78127d84ea@arm.com> <20201022075447.GO3819@arm.com> <78464155-f459-773f-d0ee-c5bdbeb39e5d@gmail.com> <202010221256.A4F95FD11@keescook> <180cd894-d42d-2bdb-093c-b5360b0ecb1e@gmail.com> From: Topi Miettinen Message-ID: <3cb894d4-049f-aa25-4450-d1df36a1b92e@gmail.com> Date: Sat, 24 Oct 2020 14:34:06 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 23.10.2020 20.52, Salvatore Mesoraca wrote: > Hi, > > On Thu, 22 Oct 2020 at 23:24, Topi Miettinen wrote: >> SARA looks interesting. What is missing is a prctl() to enable all W^X >> protections irrevocably for the current process, then systemd could >> enable it for services with MemoryDenyWriteExecute=yes. > > SARA actually has a procattr[0] interface to do just that. > There is also a library[1] to help using it. That means that /proc has to be available and writable at that point, so setting up procattrs has to be done before mount namespaces are set up. In general, it would be nice for sandboxing facilities in kernel if there would be a way to start enforcing restrictions only at next execve(), like setexeccon() for SELinux and aa_change_onexec() for AppArmor. Otherwise the exact order of setting up various sandboxing options can be very tricky to arrange correctly, since each option may have a subtle effect to the sandboxing features enabled later. In case of SARA, the operations done between shuffling the mount namespace and before execve() shouldn't be affected so it isn't important. Even if it did (a new sandboxing feature in the future would need trampolines or JIT code generation), maybe the procattr file could be opened early but it could be written closer to execve(). -Topi From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.1 required=3.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,DKIM_VALID,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A7CC5C4363A for ; Sat, 24 Oct 2020 11:35:59 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3CA3F21D43 for ; Sat, 24 Oct 2020 11:35:59 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="uYNEpMcW"; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mqiOOs7T" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3CA3F21D43 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Type: Content-Transfer-Encoding:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:Date:Message-ID:From: References:To:Subject:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=stFOt3dWaGqsZs8GOSbGW293XlhGKbmyTayET8hIzkw=; b=uYNEpMcWBsd6N9clOHF9YVN8k XWNvYpOLLJVE4QHctOZ280B9ux+ALdLm5DafgYBJi0kDIUJ3Op4LdMEVk6jeIMzNFE+hvcFfpoZKc eBFJmqDkyd08H2UCxbY64TXpNB5IpKOSmR0+EM0P8lRz0f0kb8VQi11EX7TXIBi6rA7JhFcMQvyzc vR+tCiiyJrOuwcusO03AVGRWk/ZhJpUjTCwydSPnmHnPDijamATh6S50uKmbr2pXxLguNDPEKvl7C dOI/NzVA7nEnS5kEwB/KmDkKd16ZQGqCnV1btsitsUKfiN8g2oqIXVimtp4R0DHz3YWTeWUM18Y+f UuLw6GdxQ==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kWHoe-0002DC-1G; Sat, 24 Oct 2020 11:34:32 +0000 Received: from mail-lf1-x143.google.com ([2a00:1450:4864:20::143]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kWHob-0002Ca-9P for linux-arm-kernel@lists.infradead.org; Sat, 24 Oct 2020 11:34:30 +0000 Received: by mail-lf1-x143.google.com with SMTP id 77so5366404lfl.2 for ; Sat, 24 Oct 2020 04:34:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=IoKvQwjpmgnwDqwDMU0dzPR0LnLnshRSMNK/AI0kcxw=; b=mqiOOs7TyvklH3y6Ood3stRdGCXNjS2vgVdrSrZQ2N5rvNmXE4ypAGwbOH+pu5ZkZU cLFinzJ8s1Tc1dBlP3n6K9U1vTiiudbu4H1PwQEoeFI7WihRODKM6wJlcI16HoaXOosR PQtOWyYZ5vxd3flAAaj+Fgat/sdOALkni45sy0aydIfRvlwxm3dwa0l5WDx3QP/dG3y6 pYy6zdGvNsP3Z9aeTINusM1N7KGKTk/bljhK8h8j6gQ8iHYyydmfoS0E2Io29bJlsvT5 ZfDv1jpttgUuhifKJENIVwPfjjhn0XCWIAk65JMYKL0UIJotL4bcojoT7g08pknvpe9X BBhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=IoKvQwjpmgnwDqwDMU0dzPR0LnLnshRSMNK/AI0kcxw=; b=KfBaxX/hM3I6mbeQR7YR4ZHocpcjYKx0L2kKGpM5u42YgE8zY/7Y/XsVq1SFgbinDG 6WJ4u2RaBeVJtYt09hvQsHwxVWVWArYchp6NxoEJUbn3lF5VR2/3pgYEVZIdFqBKrgAJ zHHb7Sm8q09KhjCFbk9ihN1sVILUH7XIcDGzJ4sWC9P90pc/q7SxTnhl6NsoCAbzw1jF IWf+NBHTP+P/jkymKHcJPdBKex8Q2Ovb2K5StcVSNpW8Qfg0l4uVbsdyZA1d2Td15P4k TzbBWM44p0VXXA4lfPA0iFLMu9FSM2T14HNUJdXU1q3FfxUgZ4n0pDep4v2gOIgevppS VGmw== X-Gm-Message-State: AOAM530X5FZSAI85SnaDfrmSPxD5883QYDs+aK4ur1dNK2ChcFM78iHu yqT/HWCbOdcZS+q/XKH3GUQ= X-Google-Smtp-Source: ABdhPJzwvsaTluGQK36qa7V3CiVSFtEKeTqt9O3nz3uBAt8xGRnoa/SVo39MAjPgTAB/taz96NuywQ== X-Received: by 2002:a19:2355:: with SMTP id j82mr1914155lfj.36.1603539267465; Sat, 24 Oct 2020 04:34:27 -0700 (PDT) Received: from [192.168.1.112] (88-114-211-119.elisa-laajakaista.fi. [88.114.211.119]) by smtp.gmail.com with ESMTPSA id y24sm411089lfy.194.2020.10.24.04.34.24 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 24 Oct 2020 04:34:26 -0700 (PDT) Subject: Re: BTI interaction between seccomp filters in systemd and glibc mprotect calls, causing service failures To: Salvatore Mesoraca References: <8584c14f-5c28-9d70-c054-7c78127d84ea@arm.com> <20201022075447.GO3819@arm.com> <78464155-f459-773f-d0ee-c5bdbeb39e5d@gmail.com> <202010221256.A4F95FD11@keescook> <180cd894-d42d-2bdb-093c-b5360b0ecb1e@gmail.com> From: Topi Miettinen Message-ID: <3cb894d4-049f-aa25-4450-d1df36a1b92e@gmail.com> Date: Sat, 24 Oct 2020 14:34:06 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201024_073429_439584_2D7F839D X-CRM114-Status: GOOD ( 20.65 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Mark Rutland , systemd-devel@lists.freedesktop.org, Kees Cook , Kernel Hardening , Szabolcs Nagy , Catalin Marinas , Will Deacon , "linux-kernel@vger.kernel.org" , Jeremy Linton , Mark Brown , linux-hardening@vger.kernel.org, libc-alpha@sourceware.org, Dave Martin , "linux-arm-kernel@lists.infradead.org" Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On 23.10.2020 20.52, Salvatore Mesoraca wrote: > Hi, > > On Thu, 22 Oct 2020 at 23:24, Topi Miettinen wrote: >> SARA looks interesting. What is missing is a prctl() to enable all W^X >> protections irrevocably for the current process, then systemd could >> enable it for services with MemoryDenyWriteExecute=yes. > > SARA actually has a procattr[0] interface to do just that. > There is also a library[1] to help using it. That means that /proc has to be available and writable at that point, so setting up procattrs has to be done before mount namespaces are set up. In general, it would be nice for sandboxing facilities in kernel if there would be a way to start enforcing restrictions only at next execve(), like setexeccon() for SELinux and aa_change_onexec() for AppArmor. Otherwise the exact order of setting up various sandboxing options can be very tricky to arrange correctly, since each option may have a subtle effect to the sandboxing features enabled later. In case of SARA, the operations done between shuffling the mount namespace and before execve() shouldn't be affected so it isn't important. Even if it did (a new sandboxing feature in the future would need trampolines or JIT code generation), maybe the procattr file could be opened early but it could be written closer to execve(). -Topi _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8DBFDC4363A for ; Sat, 24 Oct 2020 11:34:47 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id 9956521D43 for ; Sat, 24 Oct 2020 11:34:46 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mqiOOs7T" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9956521D43 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-20261-kernel-hardening=archiver.kernel.org@lists.openwall.com Received: (qmail 1784 invoked by uid 550); 24 Oct 2020 11:34:39 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Received: (qmail 1747 invoked from network); 24 Oct 2020 11:34:38 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=IoKvQwjpmgnwDqwDMU0dzPR0LnLnshRSMNK/AI0kcxw=; b=mqiOOs7TyvklH3y6Ood3stRdGCXNjS2vgVdrSrZQ2N5rvNmXE4ypAGwbOH+pu5ZkZU cLFinzJ8s1Tc1dBlP3n6K9U1vTiiudbu4H1PwQEoeFI7WihRODKM6wJlcI16HoaXOosR PQtOWyYZ5vxd3flAAaj+Fgat/sdOALkni45sy0aydIfRvlwxm3dwa0l5WDx3QP/dG3y6 pYy6zdGvNsP3Z9aeTINusM1N7KGKTk/bljhK8h8j6gQ8iHYyydmfoS0E2Io29bJlsvT5 ZfDv1jpttgUuhifKJENIVwPfjjhn0XCWIAk65JMYKL0UIJotL4bcojoT7g08pknvpe9X BBhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=IoKvQwjpmgnwDqwDMU0dzPR0LnLnshRSMNK/AI0kcxw=; b=iwNw+a29hXpsxsU38A2djfC61cpIRtQi20TIhm3EfaJXH6tQS7qPuQUsOf7L83akL5 bF8xaWbPA0vT5U/CVRVpSbqxvHkShtMnd0va+Mq+5N4YH3rOYFu+uoie6abIA4/EmLi4 0OTkRW0oBotqueRG1uS/AZ7ukO3OlT8cojnR3ZuM2XyCEFSJu0+QeGnFEjH9iWAPVn67 pttXNTBCpaE1ebGeqGLM02ed3dZltnJuflN728SxDFhbQBCsgEcYMOZDENFHSTOL8ok5 Q6eGxOmGe4uei2Sso2+EH3B/4MzTr8elMm6zXP0J61+cigNoJkqD+QgXslC/BfVzFapD x4kw== X-Gm-Message-State: AOAM533GtvU6ScmCa0ASEGMpWFWf6OOMIuWy6XGLJCmQukreydEirYAZ oN/Q191FF0EZNc+qji/pt+s= X-Google-Smtp-Source: ABdhPJzwvsaTluGQK36qa7V3CiVSFtEKeTqt9O3nz3uBAt8xGRnoa/SVo39MAjPgTAB/taz96NuywQ== X-Received: by 2002:a19:2355:: with SMTP id j82mr1914155lfj.36.1603539267465; Sat, 24 Oct 2020 04:34:27 -0700 (PDT) Subject: Re: BTI interaction between seccomp filters in systemd and glibc mprotect calls, causing service failures To: Salvatore Mesoraca Cc: Kees Cook , Szabolcs Nagy , Jeremy Linton , "linux-arm-kernel@lists.infradead.org" , libc-alpha@sourceware.org, systemd-devel@lists.freedesktop.org, "linux-kernel@vger.kernel.org" , Mark Rutland , Mark Brown , Dave Martin , Catalin Marinas , Will Deacon , Kernel Hardening , linux-hardening@vger.kernel.org References: <8584c14f-5c28-9d70-c054-7c78127d84ea@arm.com> <20201022075447.GO3819@arm.com> <78464155-f459-773f-d0ee-c5bdbeb39e5d@gmail.com> <202010221256.A4F95FD11@keescook> <180cd894-d42d-2bdb-093c-b5360b0ecb1e@gmail.com> From: Topi Miettinen Message-ID: <3cb894d4-049f-aa25-4450-d1df36a1b92e@gmail.com> Date: Sat, 24 Oct 2020 14:34:06 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit On 23.10.2020 20.52, Salvatore Mesoraca wrote: > Hi, > > On Thu, 22 Oct 2020 at 23:24, Topi Miettinen wrote: >> SARA looks interesting. What is missing is a prctl() to enable all W^X >> protections irrevocably for the current process, then systemd could >> enable it for services with MemoryDenyWriteExecute=yes. > > SARA actually has a procattr[0] interface to do just that. > There is also a library[1] to help using it. That means that /proc has to be available and writable at that point, so setting up procattrs has to be done before mount namespaces are set up. In general, it would be nice for sandboxing facilities in kernel if there would be a way to start enforcing restrictions only at next execve(), like setexeccon() for SELinux and aa_change_onexec() for AppArmor. Otherwise the exact order of setting up various sandboxing options can be very tricky to arrange correctly, since each option may have a subtle effect to the sandboxing features enabled later. In case of SARA, the operations done between shuffling the mount namespace and before execve() shouldn't be affected so it isn't important. Even if it did (a new sandboxing feature in the future would need trampolines or JIT code generation), maybe the procattr file could be opened early but it could be written closer to execve(). -Topi