From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 21537 invoked by alias); 5 Jul 2018 19:36:15 -0000 Mailing-List: contact gnu-gabi-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Subscribe: Sender: gnu-gabi-owner@sourceware.org Received: (qmail 21426 invoked by uid 89); 5 Jul 2018 19:36:15 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.99.4 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.3 required=5.0 tests=AWL,BAYES_00,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=Hx-languages-length:1557, coutant, attack, HContent-Transfer-Encoding:8bit X-Spam-Status: No, score=-2.3 required=5.0 tests=AWL,BAYES_00,SPF_HELO_PASS autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: mx1.redhat.com Received: from mx3-rdu2.redhat.com (HELO mx1.redhat.com) (66.187.233.73) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 05 Jul 2018 19:36:14 +0000 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 9D697401CC41; Thu, 5 Jul 2018 19:36:12 +0000 (UTC) Received: from oldenburg.str.redhat.com (ovpn-116-201.ams2.redhat.com [10.36.116.201]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 34A01111E418; Thu, 5 Jul 2018 19:36:12 +0000 (UTC) Subject: Re: Flag for late RELRO application To: Cary Coutant Cc: gnu-gabi@sourceware.org References: <0140c64d-ceef-070e-a8f5-95a930984800@redhat.com> From: Florian Weimer Message-ID: <30bac825-fa96-f92c-f6a4-263da7132f61@redhat.com> Date: Mon, 01 Jan 2018 00:00:00 -0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 05 Jul 2018 19:36:12 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Thu, 05 Jul 2018 19:36:12 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'fweimer@redhat.com' RCPT:'' X-IsSubscribed: yes X-SW-Source: 2018-q3/txt/msg00005.txt.bz2 On 06/11/2018 09:52 PM, Cary Coutant wrote: >> I would like to add a flag to gABI (visible in the dynamic section) which >> indicates that the loader shall apply RELRO protection only after running >> the ELF constructors from DT_INIT and DT_INIT_ARRAY. >> >> This would allow applications to allocate a mapping and store a pointer to >> it in permanently read-only memory. On the mapping itself, the application >> can set the protection flags (and keys) as needed. > > Why can't the application that wants to do this simply do the following? > > mprotect(&ptr, sizeof(ptr), PROT_READ|PROT_WRITE); > ptr = ...; > mprotect(&ptr, sizeof(ptr), PROT_READ); The original mapping might have been PROT_READ | PROT_EXEC, and then the PROT_EXEC is gone, which isn't good. Security policy may also preven tthe PROT_WRITE → PROT_EXEC transition. > We have RELRO to collect all the data together that the dynamic loader > needs to initialize. I see no good reason to extend that feature to > support an application-specific need, especially when it significantly > expands the window during which the program is subject to attack. > Initializers are just as prone to hacking as the rest of the program. Initializers can access the process environment, true, but for many applications, that is trusted and there is no boundary crossed. That only comes later in the process (after running main). In any case, I wanted to make this opt-in, so that applications or libraries can choose the approach they prefer. Thanks, Florian