From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by sourceware.org (Postfix) with ESMTPS id E37DA388E823 for ; Mon, 8 Feb 2021 12:44:57 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org E37DA388E823 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2696264E75; Mon, 8 Feb 2021 12:44:54 +0000 (UTC) Date: Mon, 8 Feb 2021 12:44:51 +0000 From: Will Deacon To: Catalin Marinas Cc: Mark Brown , linux-arm-kernel@lists.infradead.org, Jeremy Linton , Mark Rutland , Szabolcs Nagy , Dave Martin , Kees Cook , libc-alpha@sourceware.org Subject: Re: [PATCH] arm64: bti: Set PROT_BTI on all BTI executables mapped by the kernel Message-ID: <20210208124451.GB25618@willie-the-truck> References: <20210205173837.39315-1-broonie@kernel.org> <20210205175128.GB12697@gaia> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210205175128.GB12697@gaia> User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Status: No, score=-4.5 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Feb 2021 12:45:00 -0000 On Fri, Feb 05, 2021 at 05:51:29PM +0000, Catalin Marinas wrote: > On Fri, Feb 05, 2021 at 05:38:37PM +0000, Mark Brown wrote: > > Currently for dynamically linked executables the kernel only enables > > PROT_BTI for the interpreter, the interpreter is responsible for > > enabling it for everything else including the main executable. > > Unfortunately this interacts poorly with systemd's > > MemoryDenyWriteExecute feature which uses a seccomp filter to prevent > > setting PROT_EXEC on already mapped memory via mprotect(), it lacks the > > context to detect that PROT_EXEC is already set and so refuses to allow > > the mprotect() on the main executable which the kernel has already > > mapped. > > > > Since we don't want to force users to choose between having MDWX and BTI > > as these are othogonal features have the kernel enable PROT_BTI for all > > the ELF objects it loads, not just the dynamic linker. This means that > > if there is a problem with BTI it will be harder to disable at the > > executable level but we currently have no conditional support for this > > in any libc anyway so that would be new development. Ideally we would > > have interfaces that allowed us to more clearly specify what is enabled > > and disabled by a given syscall but this would be a far more difficult > > change to deploy. > > > > Reported-by: Jeremy Linton > > Suggested-by: Catalin Marinas > > Signed-off-by: Mark Brown > > Cc: Mark Rutland > > Cc: Szabolcs Nagy > > Cc: Dave Martin > > Cc: Kees Cook > > Cc: libc-alpha@sourceware.org > > Thanks Mark for putting the patch together. You may want to add a > reference to some of the discussions around the ABI, one of them: > > Link: https://lore.kernel.org/r/20201207200338.GB24625@arm.com/ > > (so we can keep Szabolcs accountable if something breaks ;)) > > For this patch: > > Reviewed-by: Catalin Marinas > > I wouldn't merge it as a fix yet but I'm ok with getting in 5.12 if Will > is ok. It would give us some time to revert. I'd like an Ack from Szabolcs before we queue this. Will