From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=V//s=MZ=redhat.com=carlos@sourceware.org>
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by sourceware.org (Postfix) with ESMTPS id 8FBDF3858CD1
	for <libc-alpha@sourceware.org>; Wed, 22 May 2024 18:57:37 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 8FBDF3858CD1
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 8FBDF3858CD1
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=170.10.133.124
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1716404259; cv=none;
	b=pf+UvbbbHEc0JHIF25Lprr6bpqPLSMmOazsv0AL4xwFiR5qRJ5hYXksLK9hq5Wpza6x1aYLfRlgqSJduKTJLOleenfeOXb7xBZ7G1GzyIqfo0OBiE/vbwgwx4Y/MV7kFCHnztVQs4+q4IyeuszLnr9W57PgibL/KUXapNfAer8I=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1716404259; c=relaxed/simple;
	bh=+IXc0FnEhypBlkURp7AWS29fyQSETkHVGrby6acM8ME=;
	h=DKIM-Signature:Message-ID:Date:MIME-Version:Subject:To:From; b=GWrxUZ4IO9ZcfY8T5vbBQNaKcyY2Ez2i0vJdosowhdC3q4h5uQeGi7by7rdhdMicAVQWygEUzpCJcnsnZh/RpnFwDJUTPVbVo0hDqWD+wiDpqYRoZbFGRRhQqnK4ekjspBy7DQxxOW2igv4RdDmBfFOOX2D3a8jxASqingb23Ng=
ARC-Authentication-Results: i=1; server2.sourceware.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1716404257;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:autocrypt:autocrypt;
	bh=cHzKc2awyLnibyMuspsz2v/2xzW1WTMX3hP8j3hdHxg=;
	b=HDhPPhFcybCLtxqRYwOsDM8AtsnTSfBXCwoO77Tlj9vHujcSRJEQMK9W6HNQM0m8tI+Jpe
	Ge+OgS65OmFiX/7FhF5zD8jLDEk5TBwIF/kao+zg3jmf+CeowTwukpm/aZxazk220s0UbP
	wX+Wu/vsBfiPj3HAPAF6Q2QjdNRSVts=
Received: from mail-qk1-f197.google.com (mail-qk1-f197.google.com
 [209.85.222.197]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-336-cw_QWhlNNRWtrSYGG7wsJA-1; Wed, 22 May 2024 14:57:36 -0400
X-MC-Unique: cw_QWhlNNRWtrSYGG7wsJA-1
Received: by mail-qk1-f197.google.com with SMTP id af79cd13be357-792d2abbc65so1461699285a.2
        for <libc-alpha@sourceware.org>; Wed, 22 May 2024 11:57:35 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1716404255; x=1717009055;
        h=content-transfer-encoding:in-reply-to:organization:autocrypt:from
         :content-language:references:cc:to:subject:user-agent:mime-version
         :date:message-id:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=cHzKc2awyLnibyMuspsz2v/2xzW1WTMX3hP8j3hdHxg=;
        b=J5prvQOLC2S1okgW3KRyZoV5uSxu0zA1A4j/nXEmrS+4n2ovBqb+fLoMXE5Rq23P6e
         R4LSHaVoa7KXfJoJOg6Ejs6WNo/KAgejYD2RHeVsaCcKu+xGdQQ7//0eoPl3IvEAX+XC
         GvF7ghFMn9Dr/FNKKM77KT9+qVWouCkcsBRFih7Km7YVdt9RdyepbKOUO6v1b3k7eLa1
         7g/2HVOsg0/gmMHUiZNEnL7ApXbXpqhytHeRH+BlTsq64TCuUGFISqcDdtpnBc6XV95U
         0xs2I1reb8E8L5b/00rk4556TVp/d0awsTfckKYTdy44JEVsIXpCIyfUBmsypkDDxFIG
         JlaA==
X-Forwarded-Encrypted: i=1; AJvYcCXpqZ35eWqDcuUhcrskHEiogw2BvBXdV5QM8/1LtR+YSND2Eq/rj8Vz2DNAaJ4t+zI0WmhDUCkaPCk8LMWL8/egVhqtuHhQA0Ci
X-Gm-Message-State: AOJu0YxFeIr3JtCkF1gJCaGm53+eUrbKIrk9WKdcMRB6BOf8pIJYSXlu
	k9Ib//28xLgKt6WxnSZqSbzZ2oMtwow1MsuA3L74PtVjVU1DHpxRlvIcLG7ZUmVULKP/n58EaQT
	levi++CZFkvjdD29Db4w8OX/HWVk+E+bghWF1wM1dXGxuKwIqxENDFy3vUw==
X-Received: by 2002:a05:620a:951:b0:792:c268:fbf0 with SMTP id af79cd13be357-7949941a413mr277435785a.6.1716404255387;
        Wed, 22 May 2024 11:57:35 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGe4ftBY4zZItluW6ImlrD0Q8+rvwp0NpDfxloY+8vrsD2Iyr3Kq2aGfEBqS50f/mX/0vKi4Q==
X-Received: by 2002:a05:620a:951:b0:792:c268:fbf0 with SMTP id af79cd13be357-7949941a413mr277434285a.6.1716404255006;
        Wed, 22 May 2024 11:57:35 -0700 (PDT)
Received: from [192.168.0.241] ([198.48.244.52])
        by smtp.gmail.com with ESMTPSA id af79cd13be357-792bf296d14sm1417045185a.49.2024.05.22.11.57.33
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Wed, 22 May 2024 11:57:34 -0700 (PDT)
Message-ID: <24df5e5e-efca-409d-a0f9-f27eb60af346@redhat.com>
Date: Wed, 22 May 2024 14:57:32 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [RFC 0/1] elf: mseal non-writable segments
To: Stephen Roettger <sroettger@google.com>, libc-alpha@sourceware.org
Cc: jeffxu@chromium.org
References: <20240522112933.2005066-1-sroettger@google.com>
From: Carlos O'Donell <carlos@redhat.com>
Autocrypt: addr=carlos@redhat.com; keydata=
 xsFNBFef5BoBEACvJ15QMMZh4stKHbz0rs78XsOdxuug37dumTx6ngrDCwZ61k7nHQ+uxLuo
 QvLSc6YJGBEfiNFbs1hvhRFNR7xJbzRYmin7kJZZ/06fH2cgTkQhN0mRBP8KsKKT+7SvvBL7
 85ZfAhArWf5m5Tl0CktZ8yoG8g9dM4SgdvdSdzZUaWBVHc6TjdAb9YEQ1/jpyfHsQp+PWLuQ
 ZI8nZUm+I3IBDLkbbuJVQklKzpT1b8yxVSsHCyIPFRqDDUjPL5G4WnUVy529OzfrciBvHdxG
 sYYDV8FX7fv6V/S3eL6qmZbObivIbLD2NbeDqw6vNpr+aehEwgwNbMVuVfH1PVHJV8Qkgxg4
 PqPgQC7GbIhxxYroGbLJCQ41j25M+oqCO/XW/FUu/9x0vY5w0RsZFhlmSP5lBDcaiy3SUgp3
 MSTePGuxpPlLVMePxKvabSS7EErLKlrAEmDgnUYYdPqGCefA+5N9Rn2JPfP7SoQEp2pHhEyM
 6Xg9x7TJ+JNuDowQCgwussmeDt2ZUeMl3s1f6/XePfTd3l8c8Yn5Fc8reRa28dFANU6oXiZf
 7/h3iQXPg81BsLMJK3aA/nyajRrNxL8dHIx7BjKX0/gxpOozlUHZHl73KhAvrBRaqLrr2tIP
 LkKrf3d7wdz4llg4NAGIU4ERdTTne1QAwS6x2tNa9GO9tXGPawARAQABzSpDYXJsb3MgTydE
 b25lbGwgKFdvcmspIDxjYXJsb3NAcmVkaGF0LmNvbT7CwZUEEwEIAD8CGwMGCwkIBwMCBhUI
 AgkKCwQWAgMBAh4BAheAFiEEcnNUKzmWLfeymZMUFnkrTqJTQPgFAmStkMYFCQ8AA6UACgkQ
 FnkrTqJTQPjRTxAAnKmRztRqcP4bgMeweR3rMxDEtwQhciDybB7RgBeuZHCbY6Hmqx2so4gH
 2rG9EoBJM1RZKyqztVJ2WbGPzEb4ZAW/AjmttIoN1tSdACGBbd8kPNUzJd+QsCiWGNtyaJw6
 /HTLj9JRdGN16b+DzUJxww3gYZYTTkhSNUVjcrw7hzXU0Zb3z9/evXv26SDbNCqSfhAm7tNE
 8ceH9H8dTcalNUPJO7bgXRhXORj9OciJrMnpPs6P4U5f/IkcVSZS1t+6R0KPWeEUXGlegTFK
 F1cKsSoil8mYajqAheuqbjtPHPh55dHTbG35ngjNSZyiM54PdMW5SR6zog3RAlYnuPg09g21
 n9Y/ihuEZZve57Gp5wHUwNE+RKRByLlRF3Zezz6jKfjLyHqJYK8d8+vuFO1vca5OfxCEf33Y
 8pLhARmHXG6mzRdji1e7Ugob2OQbvM1XWkInA+NyGeqLlE7ZnzVME5kmYVa/+qjdoqEgAqKz
 EdcknAZ0uud8xuAqven5X17+bBY16RZHOysOcBiGGC2E1A8Xni8cO+vH6NTCjK+OAk7UXgWB
 +9MFvsi7WHDJAjVlpOwuRYDWjZ8o8HhkByMAhPEzjySR9G1bzHKNOVQNFpHPTP8a5LJR6nX/
 QdjKAC0bOR1TxNeK6T0h+E0iPnwWIJ6ezimzwdRl0oCbj02giyPOwU0EV5/kGgEQAKvTJke+
 QSjATmz11ALKle/SSEpUwL5QOpt3xomEATcYAamww0HADfGTKdUR+aWgOK3vqu6Sicr1zbuZ
 jHCs2GaIgRoqh1HKVgCmaJYjizvidHluqrox6qqc9PG0bWb0f5xGQw+X2z+bEinzv4qaep1G
 1OuYgvG49OpHTgZMiJq9ncHCxkD2VEJKgMywGJ4Agdl+NWVn0T7w6J+/5QmBIE8hh4NzpYfr
 xzWCJ9iZ3skG4zBGB4YEacc3+oeEoybc10h6tqhQNrtIiSRJH+SUJvOiNH8oMXPLAjfFVy3d
 4BOgyxJhE0UhmQIQHMJxCBw81fQD10d0dcru0rAIEldEpt2UXqOr0rOALDievMF/2BKQiOA7
 PbMC3/dwuNHDlClQzdjil8O7UsIgf3IMFaIbQoUEvjlgf5cm9a94gWABcfI1xadAq9vcIB5v
 +9fM71xDgdELnZThTd8LByrG99ExVMcG2PZYXJllVDQDZqYA1PjD9e0yHq5whJi3BrZgwDaL
 5vYZEb1EMyH+BQLO3Zw/Caj8W6mooGHgNveRQ1g9FYn3NUp7UvS22Zt/KW4pCpbgkQZefxup
 KO6QVNwwggV44cTQ37z5onGbNPD8+2k2mmC0OEtGBkj+VH39tRk+uLOcuXlGNSVk3xOyxni0
 Nk9M0GvTvPKoah9gkvL/+AofN/31ABEBAAHCwXwEGAEIACYCGwwWIQRyc1QrOZYt97KZkxQW
 eStOolNA+AUCZK2RDAUJDwAD8gAKCRAWeStOolNA+B0MEACVxFO++NroEQxSQ0NCWod3aDmY
 mYn+/08wLTeMP+ajq19FEjU0Lh/GBJl6WlSHeJ5ZJlNSiXZuiSYGMYm73DBaoZlyjbD+H9NL
 LwLXgtfCZYlN6Iu8JRMfk9yevVBay7Be9DkPAk565ggo0UkIjpYftiLF4TUfqnI1yO6QKXgr
 J2DDwlP3iiCYnWFpHdBTB2/BRurpZoRquhRGzgcdGfRDtp16Pzm/u8BjfaU5/AFRjM0IDYQ6
 PaQld0uZSZ0qOn0ts6usJws5gANq4U1oWJlqL/PHOFy9mbwUnKqq0oiWrmj+Mb+Ic6m9fqB3
 5CHWUhxC1QozvkuY/sTsmXnG/mnbq2oFIVcgXDsnrDHf+0GyR+TrE4AQw1Pt2utsmU67LqNB
 Ru/2NbSFgwPv5wWjtNwDVGSZEXlV4qJGjh8S9aaGXhRTwJsnN6qkFS1m6vHKwqnRb5Qy4XDg
 7kDrhFnTWe+XSwQt+HtGvIiXcR3EScJky76YlVsWDtvZMo3NePaC3qV5HAC8d2ZL3sFqxJRu
 sRyjE2l6s0EEK2MUgV/dwodftECrMdGktndVTYPqLnsua/PWWKYwYrNvD8slL6VFkXDZvLLv
 nat9vl9mBm15b76RHvKNlRcPbB9YYCbS5fhN2ObAsVbV1c5TdBCp8lp1Fa3YK0TA+WpNZVHK
 vjq6hMJAjA==
Organization: Red Hat
In-Reply-To: <20240522112933.2005066-1-sroettger@google.com>
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

On 5/22/24 7:29 AM, Stephen Roettger wrote:
> In my basic testing, this seems to work fine. But a few questions that
> I'd like some feedback on:
> * Does it sound ok to apply sealing by default? Should this be a flag in
>   the ELF, e.g. maybe the p_flags could have a sealable bit?

I think the sealing *should* be on by default and there should be no way
to disable that, but how do debuggers recover from this to patch code?

What happens to debuggers like gdb, lldb, dyninst, or valgrind when run
with a sealed process? Is there an early rendezvous that can disable
the sealing? Is attaching to such a process to debug it always going to
fail?

In many ways the sealing is equivalent to some of the same operations we
have with SELinux, but driven by the semantics of the operations rather
than any given policy e.g. deny_execmem.

The act of sealing is derived from the semantics that are already expressed
in the ELF file, particularly the PT_LOAD segment properties and
RTLD_NODELETE, which both express that the mapping should not be
removed.

> * Does it make sense to piggyback on the RTLD_NODELETE bit and apply it
>   to more objects? It seems to have the right semantics: the object
>   should never get deleted => it's ok to seal the mappings.

It does make sense.

The more difficult question is: Have these semantics been followed by userpace?

It would be interesting to carry out something like a mass-prebuild of a whole OS
(we do this in Fedora with mass-prebuild [1], and we did it for the GCC 14 transition
last December) with this patch applied and see what fails to build and run 
rpm %check phase. It is effectively A/B testing of rpm build and check.

I'm not suggesting you do that, but it is something we should be able to collaborate
on and evaluate the results.

-- 
Cheers,
Carlos.

[1] https://gitlab.com/fedora/packager-tools/mass-prebuild