linux-arch.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Dave Martin <Dave.Martin@arm.com>
To: Jeremy Linton <jeremy.linton@arm.com>
Cc: Mark Brown <broonie@kernel.org>,
	Catalin Marinas <catalin.marinas@arm.com>,
	linux-arch@vger.kernel.org, libc-alpha@sourceware.org,
	Szabolcs Nagy <szabolcs.nagy@arm.com>,
	Will Deacon <will@kernel.org>,
	linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH v1 2/2] arm64: Enable BTI for main executable as well as the interpreter
Date: Thu, 10 Jun 2021 11:33:54 +0100	[thread overview]
Message-ID: <20210610103354.GO4187@arm.com> (raw)
In-Reply-To: <2318f36a-0b81-0e6c-cf6e-ce4167471c82@arm.com>

On Tue, Jun 08, 2021 at 10:42:41AM -0500, Jeremy Linton wrote:
> On 6/8/21 10:19 AM, Dave Martin wrote:
> >On Tue, Jun 08, 2021 at 12:33:18PM +0100, Mark Brown via Libc-alpha wrote:
> >>On Mon, Jun 07, 2021 at 07:12:13PM +0100, Catalin Marinas wrote:
> >>
> >>>I don't think we can document all the filters that can be added on top
> >>>various syscalls, so I'd leave it undocumented (or part of the systemd
> >>>documentation). It was a user space program (systemd) breaking another
> >>>user space program (well, anything with a new enough glibc). The kernel
> >>>ABI was still valid when /sbin/init started ;).
> >>
> >>Indeed.  I think from a kernel point of view the main thing is to look
> >>at why userspace feels the need to do things like this and see if
> >>there's anything we can improve or do better with in future APIs, part
> >>of the original discussion here was figuring out that there's not really
> >>any other reasonable options for userspace to implement this check at
> >>the minute.
> >
> >Ack, that would be my policy -- just wanted to make it explicit.
> >It would be good if there were better dialogue between the systemd
> >and kernel folks on this kind of thing.
> >
> >SECCOMP makes it rather easy to (attempt to) paper over kernel/user API
> >design problems, which probably reduces the chance of the API ever being
> >fixed properly, if we're not careful...
> 
> Well IMHO the problem is larger than just BTI here, what systemd is trying
> to do by fixing the exec state of a service is admirable but its a 90%
> solution without the entire linker/loader being in a more privileged
> context. While BTI makes finding a generic gadget that can call mprotect
> harder, it still seems like it might just be a little too easy. The secomp
> filter is providing a nice bonus by removing the ability to disable BTI via
> mprotect without also disabling X. So without moving more of the linker into
> the kernel its hard to see how one can really lock down X only pages.
> 
> Anyway, i'm testing this on rawhide now.
> 
> Thanks!

Well, I agree that there are larger issues here.  But we need to be
realistic and try not to do too much damage to future maintainability.

Note, your "bonus" is really a feature-like bug.  This is what we
should be trying to avoid IMHO: if it's important, it needs to be
designed and guaranteed.  Something that works by accident is likely to
get broken again by accident in the future.

Cheers
---Dave

      reply	other threads:[~2021-06-10 10:34 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-21 14:46 [PATCH v1 0/2] arm64: Enable BTI for the executable as well as the interpreter Mark Brown
2021-05-21 14:46 ` [PATCH v1 1/2] elf: Allow architectures to parse properties on the main executable Mark Brown
2021-06-03 15:40   ` Dave Martin
2021-06-03 18:52     ` Mark Brown
2021-05-21 14:46 ` [PATCH v1 2/2] arm64: Enable BTI for main executable as well as the interpreter Mark Brown
2021-06-03 15:40   ` Dave Martin
2021-06-03 16:51     ` Mark Brown
2021-06-03 18:04       ` Catalin Marinas
2021-06-07 11:25         ` Dave Martin
2021-06-07 18:12           ` Catalin Marinas
2021-06-08 11:33             ` Mark Brown
2021-06-08 15:19               ` Dave Martin
2021-06-08 15:42                 ` Jeremy Linton
2021-06-10 10:33                   ` Dave Martin [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210610103354.GO4187@arm.com \
    --to=dave.martin@arm.com \
    --cc=broonie@kernel.org \
    --cc=catalin.marinas@arm.com \
    --cc=jeremy.linton@arm.com \
    --cc=libc-alpha@sourceware.org \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=szabolcs.nagy@arm.com \
    --cc=will@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).