From: Florian Weimer <fweimer@redhat.com>
To: Carlos O'Donell <carlos@redhat.com>, gnu-gabi@sourceware.org
Subject: Re: Flag for late RELRO application
Date: Mon, 01 Jan 2018 00:00:00 -0000 [thread overview]
Message-ID: <1e8cc2f8-1726-7fed-f905-05610417c8af@redhat.com> (raw)
In-Reply-To: <7a4054dc-561c-544f-b3d5-4f06580e10dc@redhat.com>
On 06/11/2018 06:29 PM, Carlos O'Donell wrote:
> On 06/11/2018 07:23 AM, Florian Weimer wrote:
>> I would like to add a flag to gABI (visible in the dynamic section)
>> which indicates that the loader shall apply RELRO protection only
>> after running the ELF constructors from DT_INIT and DT_INIT_ARRAY.
>
> I assume that means also after DT_PREINIT_ARRAY?
Yes, that too.
> Should the semantics be worded in such a way as to simply say that
> all constructors have finished running?
That would be okay.
> That could be a lot of code running without RELRO protections.
Hence I suggest to require opt-in via a flag.
>> This would allow applications to allocate a mapping and store a
>> pointer to it in permanently read-only memory. On the mapping
>> itself, the application can set the protection flags (and keys) as
>> needed.
>
> Wouldn't it be safer to have some kind of second "type" of RELRO
> for these particular uses?
Safer in what sense? It's going to be quite complicated (new DT_*
entries, linker support for various sections, documentation for the new
section names).
A new flag would only need very limited linker support, and we'd have to
document the existing section names (which are already part of the ABI,
but may not be documented).
> This way we don't mix what is effectively early RELRO with late
> RELRO?
I'm not convinced the additional complexity is worth it. It's possible
to write a shared object in such a way that constructors are minimized
(and we should clean up the ones automatically provided by GCC,
independently of that). If necessary, a separate object can be used.
> I know that it's easier to just defer RELRO (all the existing
> machinery is already in place for it), but I'm wondering if that
> won't worsen the protection in substantial ways.
>
> For example how would an application mark a pointer as read-only
> but also write to it?
This seems to be portable across all GNU architectures:
void *ptr __attribute__ ((section (".data.rel.ro")));
> If you have to markup existing code with
> attributes to get this to work, you might as well collect them
> into a special section and use a 'late RELRO' flag for it,
> extending the existing RELRO framework.
Again, is this really worth the complexity?
Thanks,
Florian
next prev parent reply other threads:[~2018-06-11 17:37 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-01 0:00 Florian Weimer
2018-01-01 0:00 ` Carlos O'Donell
2018-01-01 0:00 ` Florian Weimer [this message]
2018-01-01 0:00 ` Carlos O'Donell
2018-01-01 0:00 ` Cary Coutant
2018-01-01 0:00 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1e8cc2f8-1726-7fed-f905-05610417c8af@redhat.com \
--to=fweimer@redhat.com \
--cc=carlos@redhat.com \
--cc=gnu-gabi@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).