From: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>
To: Siddhesh Poyarekar <siddhesh@sourceware.org>,
Zack Weinberg <zack@owlfolio.org>,
Szabolcs Nagy <szabolcs.nagy@arm.com>,
GNU libc development <libc-alpha@sourceware.org>
Cc: Florian Weimer <fweimer@redhat.com>, Carlos O'Donell <carlos@redhat.com>
Subject: Re: [PATCH 2/2] aarch64: Make glibc.mem.tagging SXID_ERASE
Date: Fri, 6 Oct 2023 14:10:14 -0300 [thread overview]
Message-ID: <6659d8d5-7b0a-4a6f-82c5-f52a99ca2891@linaro.org> (raw)
In-Reply-To: <4eaea4b7-c72f-8bd8-ab2b-dc08fc4ad97d@sourceware.org>
On 06/10/23 09:41, Siddhesh Poyarekar wrote:
> On 2023-10-06 08:25, Zack Weinberg wrote:
>>> I don't completely disagree with the conclusion below, but the CVE
>>> that prompted this discussion doesn't say anything about environment
>>> inheritance because the vulnerability had nothing to do with
>>> environment processing and inheritance.
>>
>> I may have misunderstood the CVE or mixed it up with another one.
>> I thought there was a recent CVE in which a SXID_IGNORE environment
>> variable was inherited by a child process, and that child process was
>> rendered vulnerable to further exploitation because it honored that
>> variable.
>
> Hmm, I don't remember anything like this recently (but my memory is worse than my airplane flying skills), but something like that would be an interesting data point and further confirmation that we need to get rid of SXID_IGNORE and SXID_NONE. In any case, I can't see a good reason anymore to keep these levels, especially if we drop memory tagging, malloc tuning and malloc debugging tunables from SXID_IGNORE. If memory tagging needs to persist across setxid programs then there needs to be a different way, maybe through systemwide tunables[1] that DJ is working on, or maybe even ELF markup.
>
> Adhemerval has taken this patchset and is going to build on it to rip it all out, so we'll hopefully resolve all of this together.
I think the less contiguous change would to keep with the blacklist of
environment variables, since changing to whitelist will change the
current semantic (and add possible user-visible breakage), ignore any
tunable on AT_SECURE binaries (as some Linux distributions are already
doing [1]), add GLIBC_TUNABLES to unsecvars (so if AT_SECURE binaries
want to set any tunable, they should it explicit), and remove the
requirement of duplice the GLIBC_TUNABLES tunable parsing (which
some memory allocation failure).
Yes, security hardening tunables won't be applied for AT_SECURE binaries,
but I think opt-in security features that have performance implications
should done by system administrator instead of relying on users.
[1] https://git.altlinux.org/gears/g/glibc.git?p=glibc.git;a=commitdiff;h=5d1686416ab766f3dd0780ab730650c4c0f76ca9
next prev parent reply other threads:[~2023-10-06 17:10 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-03 20:11 [PATCH 0/2] make all tunables SXID_ERASE Siddhesh Poyarekar
2023-10-03 20:11 ` [PATCH 1/2] Make all malloc " Siddhesh Poyarekar
2023-10-03 20:11 ` [PATCH 2/2] aarch64: Make glibc.mem.tagging SXID_ERASE Siddhesh Poyarekar
2023-10-04 7:29 ` Szabolcs Nagy
2023-10-04 11:59 ` Siddhesh Poyarekar
2023-10-04 14:04 ` Szabolcs Nagy
2023-10-04 14:23 ` Siddhesh Poyarekar
2023-10-04 14:51 ` Szabolcs Nagy
2023-10-04 14:53 ` Siddhesh Poyarekar
2023-10-04 15:05 ` Siddhesh Poyarekar
2023-10-04 17:01 ` Adhemerval Zanella Netto
2023-10-05 8:19 ` Szabolcs Nagy
2023-10-05 12:55 ` Siddhesh Poyarekar
2023-10-05 13:59 ` Szabolcs Nagy
2023-10-05 14:05 ` Siddhesh Poyarekar
2023-10-05 18:31 ` Zack Weinberg
2023-10-05 19:11 ` Siddhesh Poyarekar
2023-10-06 12:25 ` Zack Weinberg
2023-10-06 12:41 ` Siddhesh Poyarekar
2023-10-06 17:10 ` Adhemerval Zanella Netto [this message]
2023-10-06 18:04 ` Siddhesh Poyarekar
2023-10-08 19:51 ` Michael Hudson-Doyle
2023-10-31 19:58 ` Zack Weinberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6659d8d5-7b0a-4a6f-82c5-f52a99ca2891@linaro.org \
--to=adhemerval.zanella@linaro.org \
--cc=carlos@redhat.com \
--cc=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=siddhesh@sourceware.org \
--cc=szabolcs.nagy@arm.com \
--cc=zack@owlfolio.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).