archive mirror
 help / color / mirror / Atom feed
From: Kees Cook <>
To: Topi Miettinen <>
Cc: Szabolcs Nagy <>,
	Jeremy Linton <>,
	"" <>,
	Mark Rutland <>,
	Mark Brown <>,
	Dave Martin <>,
	Catalin Marinas <>,
	Will Deacon <>,
	Salvatore Mesoraca <>,,
Subject: Re: BTI interaction between seccomp filters in systemd and glibc mprotect calls, causing service failures
Date: Thu, 22 Oct 2020 13:02:18 -0700	[thread overview]
Message-ID: <202010221256.A4F95FD11@keescook> (raw)
In-Reply-To: <>

On Thu, Oct 22, 2020 at 01:39:07PM +0300, Topi Miettinen wrote:
> But I think SELinux has a more complete solution (execmem) which can track
> the pages better than is possible with seccomp solution which has a very
> narrow field of view. Maybe this facility could be made available to
> non-SELinux systems, for example with prctl()? Then the in-kernel MDWX could
> allow mprotect(PROT_EXEC | PROT_BTI) in case the backing file hasn't been
> modified, the source filesystem isn't writable for the calling process and
> the file descriptor isn't created with memfd_create().

Right. The problem here is that systemd is attempting to mediate a
state change using only syscall details (i.e. with seccomp) instead of
a stateful analysis. Using a MAC is likely the only sane way to do that.
SELinux is a bit difficult to adjust "on the fly" the way systemd would
like to do things, and the more dynamic approach seen with SARA[1] isn't
yet in the kernel. Trying to enforce memory W^X protection correctly
via seccomp isn't really going to work well, as far as I can see.

Regardless, it makes sense to me to have the kernel load the executable
itself with BTI enabled by default. I prefer gaining Catalin's suggested
patch[2]. :)


Kees Cook

       reply	other threads:[~2020-10-22 20:02 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <>
     [not found] ` <>
     [not found]   ` <>
2020-10-22 20:02     ` Kees Cook [this message]
2020-10-22 22:24       ` BTI interaction between seccomp filters in systemd and glibc mprotect calls, causing service failures Topi Miettinen
2020-10-23 17:52         ` Salvatore Mesoraca
2020-10-24 11:34           ` Topi Miettinen
2020-10-24 14:12             ` Salvatore Mesoraca
2020-10-25 13:42               ` Jordan Glover
2020-10-23  9:02       ` Catalin Marinas
2020-10-24 11:01         ` Topi Miettinen
2020-10-26 14:52           ` Catalin Marinas
2020-10-26 15:56             ` Dave Martin
2020-10-26 16:51               ` Mark Brown
2020-10-26 16:31             ` Topi Miettinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202010221256.A4F95FD11@keescook \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).