From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by sourceware.org (Postfix) with ESMTPS id 297F3385802B for ; Fri, 5 Feb 2021 17:39:41 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 297F3385802B Received: by mail.kernel.org (Postfix) with ESMTPSA id B6DE260C3F; Fri, 5 Feb 2021 17:39:39 +0000 (UTC) From: Mark Brown To: Catalin Marinas , Will Deacon Cc: linux-arm-kernel@lists.infradead.org, Mark Brown , Jeremy Linton , Mark Rutland , Szabolcs Nagy , Dave Martin , Kees Cook , libc-alpha@sourceware.org Subject: [PATCH] arm64: bti: Set PROT_BTI on all BTI executables mapped by the kernel Date: Fri, 5 Feb 2021 17:38:37 +0000 Message-Id: <20210205173837.39315-1-broonie@kernel.org> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-Patch-Hashes: v=1; h=sha256; i=7zN43aXdXMdmfaLj4FX8gMm7a76OOvJsogge4/nn8Y4=; m=dy0D/ccU8fG3zSNioE+eBi2SH0YOdNWPkq8kfTP7sq8=; p=fDryMjcYCFaY94nuNd8JVY/L7W1xGukVcWRmSZ1mHXY=; g=0f8818e661955edd30fd55277d55e6b5dbe31f48 X-Patch-Sig: m=pgp; i=broonie@kernel.org; s=0xC3F436CA30F5D8EB; b=iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmAdgP4ACgkQJNaLcl1Uh9AN/gf+N1V Uu7Zv9yx+E+3Fn5F8dUqn4p4hjv2ILNoQzG1dwNQljW8z/HJyyR8Gm+zsHfWyBJ3D5kAIxXAQzjq4 GJ7dLF1uWNcsRzT/nZQGqTMBI4jOhb4Rb0RR4hH4zpAGZ5OWasC2Dd+u+6nVzyRs2Nv+31w/LQoBr ggZGk18HL66O+jaOd14DGLjVWpbbjKTytnGiq3T66p/JEm9IN5lRNjHWeEjshkSsy1auIxZfjLzPZ GXXmR7U865dKTjdT7y5jG5087vu5HUXQNn1vNBPREm06p+k78Qby+4s3baWUnHmmbgaZiewJjqm6v 4RqYRxexAbQNyWZr7/EI/nhPpVgQwWQ== Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-9.9 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Feb 2021 17:39:42 -0000 Currently for dynamically linked executables the kernel only enables PROT_BTI for the interpreter, the interpreter is responsible for enabling it for everything else including the main executable. Unfortunately this interacts poorly with systemd's MemoryDenyWriteExecute feature which uses a seccomp filter to prevent setting PROT_EXEC on already mapped memory via mprotect(), it lacks the context to detect that PROT_EXEC is already set and so refuses to allow the mprotect() on the main executable which the kernel has already mapped. Since we don't want to force users to choose between having MDWX and BTI as these are othogonal features have the kernel enable PROT_BTI for all the ELF objects it loads, not just the dynamic linker. This means that if there is a problem with BTI it will be harder to disable at the executable level but we currently have no conditional support for this in any libc anyway so that would be new development. Ideally we would have interfaces that allowed us to more clearly specify what is enabled and disabled by a given syscall but this would be a far more difficult change to deploy. Reported-by: Jeremy Linton Suggested-by: Catalin Marinas Signed-off-by: Mark Brown Cc: Mark Rutland Cc: Szabolcs Nagy Cc: Dave Martin Cc: Kees Cook Cc: libc-alpha@sourceware.org --- This solution was proposed by Catalin, I'm just writing it up into a patch since it looks to be what we've converged on as the most practical solution and but things seemed to have stalled out. arch/arm64/kernel/process.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c index 71c8265b9139..0967f9e1f9fd 100644 --- a/arch/arm64/kernel/process.c +++ b/arch/arm64/kernel/process.c @@ -717,14 +717,6 @@ asmlinkage void __sched arm64_preempt_schedule_irq(void) int arch_elf_adjust_prot(int prot, const struct arch_elf_state *state, bool has_interp, bool is_interp) { - /* - * For dynamically linked executables the interpreter is - * responsible for setting PROT_BTI on everything except - * itself. - */ - if (is_interp != has_interp) - return prot; - if (!(state->flags & ARM64_ELF_BTI)) return prot; -- 2.20.1