From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gnu-gabi-return-252-listarch-gnu-gabi=sourceware.org@sourceware.org>
Received: (qmail 128935 invoked by alias); 11 Jun 2018 17:37:07 -0000
Mailing-List: contact gnu-gabi-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <gnu-gabi.sourceware.org>
List-Post: <mailto:gnu-gabi@sourceware.org>
List-Help: <mailto:gnu-gabi-help@sourceware.org>
List-Subscribe: <mailto:gnu-gabi-subscribe@sourceware.org>
Sender: gnu-gabi-owner@sourceware.org
Received: (qmail 128917 invoked by uid 89); 11 Jun 2018 17:37:07 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Checked: by ClamAV 0.99.4 on sourceware.org
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=0.5 required=5.0 tests=AWL,BAYES_00,KAM_LAZY_DOMAIN_SECURITY,SPF_HELO_PASS,UNSUBSCRIBE_BODY autolearn=no version=3.3.2 spammy=safer
X-Spam-Status: No, score=0.5 required=5.0 tests=AWL,BAYES_00,KAM_LAZY_DOMAIN_SECURITY,SPF_HELO_PASS,UNSUBSCRIBE_BODY autolearn=no version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org
X-Spam-Level:
X-HELO: mx1.redhat.com
Received: from mx3-rdu2.redhat.com (HELO mx1.redhat.com) (66.187.233.73) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 11 Jun 2018 17:37:06 +0000
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4])	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))	(No client certificate requested)	by mx1.redhat.com (Postfix) with ESMTPS id CBD476F596	for <gnu-gabi@sourceware.org>; Mon, 11 Jun 2018 17:37:04 +0000 (UTC)
Received: from oldenburg.str.redhat.com (ovpn-116-118.ams2.redhat.com [10.36.116.118])	by smtp.corp.redhat.com (Postfix) with ESMTPS id 5E8F320244E0;	Mon, 11 Jun 2018 17:37:04 +0000 (UTC)
Subject: Re: Flag for late RELRO application
To: Carlos O'Donell <carlos@redhat.com>, gnu-gabi@sourceware.org
References: <0140c64d-ceef-070e-a8f5-95a930984800@redhat.com> <7a4054dc-561c-544f-b3d5-4f06580e10dc@redhat.com>
From: Florian Weimer <fweimer@redhat.com>
Message-ID: <1e8cc2f8-1726-7fed-f905-05610417c8af@redhat.com>
Date: Mon, 01 Jan 2018 00:00:00 -0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <7a4054dc-561c-544f-b3d5-4f06580e10dc@redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Mon, 11 Jun 2018 17:37:04 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Mon, 11 Jun 2018 17:37:04 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'fweimer@redhat.com' RCPT:''
X-IsSubscribed: yes
X-SW-Source: 2018-q2/txt/msg00002.txt.bz2

On 06/11/2018 06:29 PM, Carlos O'Donell wrote:
> On 06/11/2018 07:23 AM, Florian Weimer wrote:
>> I would like to add a flag to gABI (visible in the dynamic section)
>> which indicates that the loader shall apply RELRO protection only
>> after running the ELF constructors from DT_INIT and DT_INIT_ARRAY.
> 
> I assume that means also after DT_PREINIT_ARRAY?

Yes, that too.

> Should the semantics be worded in such a way as to simply say that
> all constructors have finished running?

That would be okay.

> That could be a lot of code running without RELRO protections.

Hence I suggest to require opt-in via a flag.

>> This would allow applications to allocate a mapping and store a
>> pointer to it in permanently read-only memory.  On the mapping
>> itself, the application can set the protection flags (and keys) as
>> needed.
> 
> Wouldn't it be safer to have some kind of second "type" of RELRO
> for these particular uses?

Safer in what sense?  It's going to be quite complicated (new DT_* 
entries, linker support for various sections, documentation for the new 
section names).

A new flag would only need very limited linker support, and we'd have to 
document the existing section names (which are already part of the ABI, 
but may not be documented).

> This way we don't mix what is effectively early RELRO with late
> RELRO?

I'm not convinced the additional complexity is worth it.  It's possible 
to write a shared object in such a way that constructors are minimized 
(and we should clean up the ones automatically provided by GCC, 
independently of that).  If necessary, a separate object can be used.

> I know that it's easier to just defer RELRO (all the existing
> machinery is already in place for it), but I'm wondering if that
> won't worsen the protection in substantial ways.
> 
> For example how would an application mark a pointer as read-only
> but also write to it?

This seems to be portable across all GNU architectures:

void *ptr __attribute__ ((section (".data.rel.ro")));

> If you have to markup existing code with
> attributes to get this to work, you might as well collect them
> into a special section and use a 'late RELRO' flag for it,
> extending the existing RELRO framework.

Again, is this really worth the complexity?

Thanks,
Florian