From: Dave Martin <Dave.Martin@arm.com> To: Jeremy Linton <firstname.lastname@example.org> Cc: Mark Brown <email@example.com>, Catalin Marinas <firstname.lastname@example.org>, email@example.com, firstname.lastname@example.org, Szabolcs Nagy <email@example.com>, Will Deacon <firstname.lastname@example.org>, email@example.com Subject: Re: [PATCH v1 2/2] arm64: Enable BTI for main executable as well as the interpreter Date: Thu, 10 Jun 2021 11:33:54 +0100 [thread overview] Message-ID: <20210610103354.GO4187@arm.com> (raw) In-Reply-To: <firstname.lastname@example.org> On Tue, Jun 08, 2021 at 10:42:41AM -0500, Jeremy Linton wrote: > On 6/8/21 10:19 AM, Dave Martin wrote: > >On Tue, Jun 08, 2021 at 12:33:18PM +0100, Mark Brown via Libc-alpha wrote: > >>On Mon, Jun 07, 2021 at 07:12:13PM +0100, Catalin Marinas wrote: > >> > >>>I don't think we can document all the filters that can be added on top > >>>various syscalls, so I'd leave it undocumented (or part of the systemd > >>>documentation). It was a user space program (systemd) breaking another > >>>user space program (well, anything with a new enough glibc). The kernel > >>>ABI was still valid when /sbin/init started ;). > >> > >>Indeed. I think from a kernel point of view the main thing is to look > >>at why userspace feels the need to do things like this and see if > >>there's anything we can improve or do better with in future APIs, part > >>of the original discussion here was figuring out that there's not really > >>any other reasonable options for userspace to implement this check at > >>the minute. > > > >Ack, that would be my policy -- just wanted to make it explicit. > >It would be good if there were better dialogue between the systemd > >and kernel folks on this kind of thing. > > > >SECCOMP makes it rather easy to (attempt to) paper over kernel/user API > >design problems, which probably reduces the chance of the API ever being > >fixed properly, if we're not careful... > > Well IMHO the problem is larger than just BTI here, what systemd is trying > to do by fixing the exec state of a service is admirable but its a 90% > solution without the entire linker/loader being in a more privileged > context. While BTI makes finding a generic gadget that can call mprotect > harder, it still seems like it might just be a little too easy. The secomp > filter is providing a nice bonus by removing the ability to disable BTI via > mprotect without also disabling X. So without moving more of the linker into > the kernel its hard to see how one can really lock down X only pages. > > Anyway, i'm testing this on rawhide now. > > Thanks! Well, I agree that there are larger issues here. But we need to be realistic and try not to do too much damage to future maintainability. Note, your "bonus" is really a feature-like bug. This is what we should be trying to avoid IMHO: if it's important, it needs to be designed and guaranteed. Something that works by accident is likely to get broken again by accident in the future. Cheers ---Dave _______________________________________________ linux-arm-kernel mailing list email@example.com http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
prev parent reply other threads:[~2021-06-10 10:38 UTC|newest] Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-05-21 14:46 [PATCH v1 0/2] arm64: Enable BTI for the " Mark Brown 2021-05-21 14:46 ` [PATCH v1 1/2] elf: Allow architectures to parse properties on the main executable Mark Brown 2021-06-03 15:40 ` Dave Martin 2021-06-03 18:52 ` Mark Brown 2021-05-21 14:46 ` [PATCH v1 2/2] arm64: Enable BTI for main executable as well as the interpreter Mark Brown 2021-06-03 15:40 ` Dave Martin 2021-06-03 16:51 ` Mark Brown 2021-06-03 18:04 ` Catalin Marinas 2021-06-07 11:25 ` Dave Martin 2021-06-07 18:12 ` Catalin Marinas 2021-06-08 11:33 ` Mark Brown 2021-06-08 15:19 ` Dave Martin 2021-06-08 15:42 ` Jeremy Linton 2021-06-10 10:33 ` Dave Martin [this message]
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210610103354.GO4187@arm.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --subject='Re: [PATCH v1 2/2] arm64: Enable BTI for main executable as well as the interpreter' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).