From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.4 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E81CC47094 for ; Thu, 10 Jun 2021 10:38:48 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id CFCC261278 for ; Thu, 10 Jun 2021 10:38:47 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org CFCC261278 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=rTAS/htZxocRDJkGlqQUplfr15ks2LeDtyj0MJKUSdA=; b=Tk6SF+mwz1cLyN 8V4o20z9xITBX7/w8wAxnRy7iO05G0flf/1j/8zeKqa2m8B8DXR6nnEF8ro8t7l0Lj+mc5mWnzxtr 8Q21zj1kYgibf5Tf5Uub/GOQSkv8fFNYIGQiOPEn/ALRI1qRLZRXuFl/iDPXItRl2d4TYnxXgyU2u Gi04vL7XlISgyf21ycYyQOd3/4EldOygK2WZ7sYLwAh8ErFH1ajrS5W00Ysndc3JghW8RmuLKXDyw 5eaAZMQyUUUE9OFdgGZaHascLvac8SZO1FXSlT2e7Z3hWiMw8XfFC0p0MbqLiiud8QhG8buaRnN4B wFNgRv9OhjGcOKVUSrlw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1lrI1e-000RCm-DB; Thu, 10 Jun 2021 10:35:02 +0000 Received: from foss.arm.com ([217.140.110.172]) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1lrI1b-000RCP-1y for linux-arm-kernel@lists.infradead.org; Thu, 10 Jun 2021 10:35:00 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 7E21BD6E; Thu, 10 Jun 2021 03:34:56 -0700 (PDT) Received: from arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 4BCC23F694; Thu, 10 Jun 2021 03:34:55 -0700 (PDT) Date: Thu, 10 Jun 2021 11:33:54 +0100 From: Dave Martin To: Jeremy Linton Cc: Mark Brown , Catalin Marinas , linux-arch@vger.kernel.org, libc-alpha@sourceware.org, Szabolcs Nagy , Will Deacon , linux-arm-kernel@lists.infradead.org Subject: Re: [PATCH v1 2/2] arm64: Enable BTI for main executable as well as the interpreter Message-ID: <20210610103354.GO4187@arm.com> References: <20210521144621.9306-1-broonie@kernel.org> <20210521144621.9306-3-broonie@kernel.org> <20210603154034.GH4187@arm.com> <20210603165134.GF4257@sirena.org.uk> <20210603180429.GI20338@arm.com> <20210607112536.GI4187@arm.com> <20210607181212.GD17957@arm.com> <20210608113318.GA4200@sirena.org.uk> <20210608151914.GJ4187@arm.com> <2318f36a-0b81-0e6c-cf6e-ce4167471c82@arm.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <2318f36a-0b81-0e6c-cf6e-ce4167471c82@arm.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210610_033459_171569_D95BB1F2 X-CRM114-Status: GOOD ( 27.30 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Tue, Jun 08, 2021 at 10:42:41AM -0500, Jeremy Linton wrote: > On 6/8/21 10:19 AM, Dave Martin wrote: > >On Tue, Jun 08, 2021 at 12:33:18PM +0100, Mark Brown via Libc-alpha wrote: > >>On Mon, Jun 07, 2021 at 07:12:13PM +0100, Catalin Marinas wrote: > >> > >>>I don't think we can document all the filters that can be added on top > >>>various syscalls, so I'd leave it undocumented (or part of the systemd > >>>documentation). It was a user space program (systemd) breaking another > >>>user space program (well, anything with a new enough glibc). The kernel > >>>ABI was still valid when /sbin/init started ;). > >> > >>Indeed. I think from a kernel point of view the main thing is to look > >>at why userspace feels the need to do things like this and see if > >>there's anything we can improve or do better with in future APIs, part > >>of the original discussion here was figuring out that there's not really > >>any other reasonable options for userspace to implement this check at > >>the minute. > > > >Ack, that would be my policy -- just wanted to make it explicit. > >It would be good if there were better dialogue between the systemd > >and kernel folks on this kind of thing. > > > >SECCOMP makes it rather easy to (attempt to) paper over kernel/user API > >design problems, which probably reduces the chance of the API ever being > >fixed properly, if we're not careful... > > Well IMHO the problem is larger than just BTI here, what systemd is trying > to do by fixing the exec state of a service is admirable but its a 90% > solution without the entire linker/loader being in a more privileged > context. While BTI makes finding a generic gadget that can call mprotect > harder, it still seems like it might just be a little too easy. The secomp > filter is providing a nice bonus by removing the ability to disable BTI via > mprotect without also disabling X. So without moving more of the linker into > the kernel its hard to see how one can really lock down X only pages. > > Anyway, i'm testing this on rawhide now. > > Thanks! Well, I agree that there are larger issues here. But we need to be realistic and try not to do too much damage to future maintainability. Note, your "bonus" is really a feature-like bug. This is what we should be trying to avoid IMHO: if it's important, it needs to be designed and guaranteed. Something that works by accident is likely to get broken again by accident in the future. Cheers ---Dave _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel