From: Stephen Roettger <sroettger@google.com>
To: libc-alpha@sourceware.org
Cc: Stephen Roettger <sroettger@google.com>, jeffxu@chromium.org
Subject: [RFC 0/1] elf: mseal non-writable segments
Date: Wed, 22 May 2024 13:29:30 +0200 [thread overview]
Message-ID: <20240522112933.2005066-1-sroettger@google.com> (raw)
Hi all,
I'm trying to implement mseal support in the runtime loader and would
like to get some feedback on the approach.
Mseal is an upcoming syscall in Linux [0] similar to OpenBSD's
mimmutable. In short, it prevents changes to sealed mappings during the
process lifetime, for example unmapping or permission changes.
I would like to add support to the runtime loader to automatically seal
mappings if possible, in particular code and read-only data. I wrote a
simple prototype and did some basic testing on a non-graphical debian.
It currently seals any PT_LOAD segments if:
* the writable bit is not set
* the mode is RTLD_NODELETE
(TODO: I need to add support for GNU_RELRO)
And in addition, I added RTLD_NODELETE in a few places so that more
objects get sealed:
* when loading the main binary and libraries
* I added propagation for RTLD_NODELETE for any auxiliary libraries
In my basic testing, this seems to work fine. But a few questions that
I'd like some feedback on:
* Does it sound ok to apply sealing by default? Should this be a flag in
the ELF, e.g. maybe the p_flags could have a sealable bit?
* Does it make sense to piggyback on the RTLD_NODELETE bit and apply it
to more objects? It seems to have the right semantics: the object
should never get deleted => it's ok to seal the mappings.
[0] https://lore.kernel.org/lkml/20240415163527.626541-1-jeffxu@chromium.org/
Thanks!
Stephen
Stephen Roettger (1):
elf: mseal non-writable segments
elf/dl-load.c | 6 ++++++
elf/dl-load.h | 1 +
elf/dl-map-segments.h | 6 ++++++
elf/dl-open.c | 3 ++-
elf/rtld.c | 12 +++++++++---
5 files changed, 24 insertions(+), 4 deletions(-)
--
2.45.1.288.g0e0cd299f1-goog
next reply other threads:[~2024-05-22 11:29 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-22 11:29 Stephen Roettger [this message]
2024-05-22 11:29 ` [RFC 1/1] " Stephen Roettger
2024-05-22 16:24 ` Cristian Rodríguez
[not found] ` <CAEAAPHaEssoE79B0vWk1S42QaUk+WVwJ0sNxnUzF3hkXNG+b9w@mail.gmail.com>
2024-05-22 18:39 ` Carlos O'Donell
2024-05-22 18:57 ` [RFC 0/1] " Carlos O'Donell
2024-05-23 9:31 ` Stephen Röttger
2024-05-23 10:38 ` Florian Weimer
2024-05-22 19:42 ` Florian Weimer
2024-05-23 9:36 ` Stephen Röttger
2024-06-04 14:19 ` Adhemerval Zanella Netto
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240522112933.2005066-1-sroettger@google.com \
--to=sroettger@google.com \
--cc=jeffxu@chromium.org \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).