Thread (14 messages) 14 messages, 4 authors, 2021-06-10

Re: [PATCH v1 2/2] arm64: Enable BTI for main executable as well as the interpreter

From: Dave Martin <Dave.Martin@arm.com>
Date: 2021-06-10 10:38:48
Also in: linux-arm-kernel 

On Tue, Jun 08, 2021 at 10:42:41AM -0500, Jeremy Linton wrote:
On 6/8/21 10:19 AM, Dave Martin wrote:
quoted
On Tue, Jun 08, 2021 at 12:33:18PM +0100, Mark Brown via Libc-alpha wrote:
quoted
On Mon, Jun 07, 2021 at 07:12:13PM +0100, Catalin Marinas wrote:
quoted
I don't think we can document all the filters that can be added on top
various syscalls, so I'd leave it undocumented (or part of the systemd
documentation). It was a user space program (systemd) breaking another
user space program (well, anything with a new enough glibc). The kernel
ABI was still valid when /sbin/init started ;).
Indeed.  I think from a kernel point of view the main thing is to look
at why userspace feels the need to do things like this and see if
there's anything we can improve or do better with in future APIs, part
of the original discussion here was figuring out that there's not really
any other reasonable options for userspace to implement this check at
the minute.
Ack, that would be my policy -- just wanted to make it explicit.
It would be good if there were better dialogue between the systemd
and kernel folks on this kind of thing.

SECCOMP makes it rather easy to (attempt to) paper over kernel/user API
design problems, which probably reduces the chance of the API ever being
fixed properly, if we're not careful...
Well IMHO the problem is larger than just BTI here, what systemd is trying
to do by fixing the exec state of a service is admirable but its a 90%
solution without the entire linker/loader being in a more privileged
context. While BTI makes finding a generic gadget that can call mprotect
harder, it still seems like it might just be a little too easy. The secomp
filter is providing a nice bonus by removing the ability to disable BTI via
mprotect without also disabling X. So without moving more of the linker into
the kernel its hard to see how one can really lock down X only pages.

Anyway, i'm testing this on rawhide now.

Thanks!
Well, I agree that there are larger issues here.  But we need to be
realistic and try not to do too much damage to future maintainability.

Note, your "bonus" is really a feature-like bug.  This is what we
should be trying to avoid IMHO: if it's important, it needs to be
designed and guaranteed.  Something that works by accident is likely to
get broken again by accident in the future.

Cheers
---Dave
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help