From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) by sourceware.org (Postfix) with ESMTPS id 463EA3858D38 for ; Thu, 23 May 2024 09:32:06 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 463EA3858D38 Authentication-Results: sourceware.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=google.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 463EA3858D38 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2a00:1450:4864:20::429 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1716456730; cv=none; b=XacJCpEc5T6Axi2si1b9JhajPYh/loprw2GpSjm/zuibRQFWqGWjcbbUpvoP19gc+4FBy6BzKisNJiXQySwkHde73jl4attCez2dunoeXgcYrtAu8ST4XZMackJgXcH6y46iWagYk2NRFDbvAq2Y/Hky6c9PAbP7HLWeYBb9ZAw= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1716456730; c=relaxed/simple; bh=d2e3mHAyCDpZqxNsxNqPLthwzZlV2J+/bUfMWnbWTr8=; h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=RBKr9bUtnZVp/a07Fsd9r69sWeKFBNJNimhTqU2g96/C2fealhEGjrGW2kWoIhDZvkCtZQtVuKD7xmkpY2fLFe4OxFQucIsCu+OiqzwWyasmOitYBCIa077E49HD8BGkwDzZC0L+3IWymPhKI+tvba83JBr0HDuGTleecPTIMOQ= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-wr1-x429.google.com with SMTP id ffacd0b85a97d-354de3c5c61so1353616f8f.0 for ; Thu, 23 May 2024 02:32:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1716456725; x=1717061525; darn=sourceware.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=rt3w/slLRaatCXXqOprSdfKa87yy7GosSyjmCoUk5v4=; b=sLOIVTjHCgM4GrYGrFNL6ZNIHQlqF6YPxb+9y1qChUihzUjr5Bb7cfb8RccaZOetsV I9MdLvTdebiH6SZSa2l06djcyO4kw3kA5zUZTZh2++n11e1nDppbseCdVLOzZGjxrZr1 eFBglJsvmH3e/icCB5zIzz7VPHAZVeiM8qdr2sfdktWElvWk7GqbCjIh6ItHfGZeuE8J k6rOA0N3Lci29QQcnjSLWQSbSUpfPqC3sNCM1PW3afL1ZXDNY5byJ67+VqarhrddCS/X 2Rrc51V44A/chWUM2CMwvUjKZLR61KEamI59RpDNPXcB/dJ/d0uXxypPhVQGEt+HPc2D CFbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716456725; x=1717061525; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=rt3w/slLRaatCXXqOprSdfKa87yy7GosSyjmCoUk5v4=; b=BaYmPtvcpJtYCvH2Gn9HWZ45Gwj5ugZ/UR6UFNdCOLYqGtzTub2b3b76SNwE4f2afP lKrShRJT76da6AKKiMdm0b+NQGjHe/V9hCjOkwUYX01CGFD3Tzw+sAorwW96gpWEBXey ZoDNN4WD9e45gTcRa2cu3GPJMsusNDJ9IuWRkLiqIfY02f4wHZcPTc5Gx319hk/22ckc W+rK2NNgHsnOZ+wL0dFNKAgLBtO4eNrkdb/FX4yRwvzitGjzEPcAJHn2UiUfCAAkVSEd hliZhyAJhF2jBsWScc+W9RHSgSqONk4qWTX7i7PIt090r5s7T3Hak4a+NYr55RQP8IWW y7fQ== X-Gm-Message-State: AOJu0YxAATvtNdwZIInMPtmmkkxJJDM21sGHAq1JdB9DdaV65U7Y87Ax 0lf2OMKX/IAU0a2Vph/mdYnyTvM6rnmw87wkYmdGSGJUwyiaATlhcWh5GE5bob+xAMqs7HO9Wau NVxN7QwKHB6FfWL8x2PkdNRH3jWbwuKHCljhoVPVmoQj2uV22PzfOIPI= X-Google-Smtp-Source: AGHT+IF1vo0rGNL2EVCrwNn7U4bhh7kqS3lHU5wC3DYjf8/9SkUP8r3oPx4/FTUbpABYNFnX7hyvoaFPVT7cIWwaWf0= X-Received: by 2002:a05:6000:89:b0:34d:b549:9465 with SMTP id ffacd0b85a97d-354d8cdd80amr3539050f8f.32.1716456724573; Thu, 23 May 2024 02:32:04 -0700 (PDT) MIME-Version: 1.0 References: <20240522112933.2005066-1-sroettger@google.com> <24df5e5e-efca-409d-a0f9-f27eb60af346@redhat.com> In-Reply-To: <24df5e5e-efca-409d-a0f9-f27eb60af346@redhat.com> From: =?UTF-8?Q?Stephen_R=C3=B6ttger?= Date: Thu, 23 May 2024 11:31:49 +0200 Message-ID: Subject: Re: [RFC 0/1] elf: mseal non-writable segments To: "Carlos O'Donell" Cc: libc-alpha@sourceware.org, jeffxu@chromium.org, fweimer@redhat.com Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="00000000000060ef9206191bb9d6" X-Spam-Status: No, score=-19.5 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: --00000000000060ef9206191bb9d6 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, May 22, 2024 at 8:57=E2=80=AFPM Carlos O'Donell = wrote: > > On 5/22/24 7:29 AM, Stephen Roettger wrote: > > In my basic testing, this seems to work fine. But a few questions that > > I'd like some feedback on: > > * Does it sound ok to apply sealing by default? Should this be a flag i= n > > the ELF, e.g. maybe the p_flags could have a sealable bit? > > I think the sealing *should* be on by default and there should be no way > to disable that, but how do debuggers recover from this to patch code? > > What happens to debuggers like gdb, lldb, dyninst, or valgrind when run > with a sealed process? Is there an early rendezvous that can disable > the sealing? Is attaching to such a process to debug it always going to > fail? I naively assumed that debuggers would use PTRACE_POKE* to write to the tracee memory. That would still work as before since it doesn't change = the page permissions. So far, I didn't spot any problems with gdb. It would be an issue if a debugger injects code into the process that then = calls mprotect on a sealed mapping, is that the issue that you have in mind? Could an environment variable that disables sealing address this? E.g. if LD_NOSEAL is set, then the loader doesn't seal any mappings. > In many ways the sealing is equivalent to some of the same operations we > have with SELinux, but driven by the semantics of the operations rather > than any given policy e.g. deny_execmem. > > The act of sealing is derived from the semantics that are already express= ed > in the ELF file, particularly the PT_LOAD segment properties and > RTLD_NODELETE, which both express that the mapping should not be > removed. > > > * Does it make sense to piggyback on the RTLD_NODELETE bit and apply it > > to more objects? It seems to have the right semantics: the object > > should never get deleted =3D> it's ok to seal the mappings. > > It does make sense. > > The more difficult question is: Have these semantics been followed by use= rpace? > > It would be interesting to carry out something like a mass-prebuild of a = whole OS > (we do this in Fedora with mass-prebuild [1], and we did it for the GCC 1= 4 transition > last December) with this patch applied and see what fails to build and ru= n > rpm %check phase. It is effectively A/B testing of rpm build and check. > > I'm not suggesting you do that, but it is something we should be able to = collaborate > on and evaluate the results. > > -- > Cheers, > Carlos. > > [1] https://gitlab.com/fedora/packager-tools/mass-prebuild > --00000000000060ef9206191bb9d6 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIPrAYJKoZIhvcNAQcCoIIPnTCCD5kCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg gg0GMIIEtjCCA56gAwIBAgIQeAMYYHb81ngUVR0WyMTzqzANBgkqhkiG9w0BAQsFADBMMSAwHgYD VQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UE AxMKR2xvYmFsU2lnbjAeFw0yMDA3MjgwMDAwMDBaFw0yOTAzMTgwMDAwMDBaMFQxCzAJBgNVBAYT AkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSowKAYDVQQDEyFHbG9iYWxTaWduIEF0bGFz IFIzIFNNSU1FIENBIDIwMjAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvLe9xPU9W dpiHLAvX7kFnaFZPuJLey7LYaMO8P/xSngB9IN73mVc7YiLov12Fekdtn5kL8PjmDBEvTYmWsuQS 6VBo3vdlqqXZ0M9eMkjcKqijrmDRleudEoPDzTumwQ18VB/3I+vbN039HIaRQ5x+NHGiPHVfk6Rx c6KAbYceyeqqfuJEcq23vhTdium/Bf5hHqYUhuJwnBQ+dAUcFndUKMJrth6lHeoifkbw2bv81zxJ I9cvIy516+oUekqiSFGfzAqByv41OrgLV4fLGCDH3yRh1tj7EtV3l2TngqtrDLUs5R+sWIItPa/4 AJXB1Q3nGNl2tNjVpcSn0uJ7aFPbAgMBAAGjggGKMIIBhjAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0l BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHzM CmjXouseLHIb0c1dlW+N+/JjMB8GA1UdIwQYMBaAFI/wS3+oLkUkrk1Q+mOai97i3Ru8MHsGCCsG AQUFBwEBBG8wbTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL3Jvb3Ry MzA7BggrBgEFBQcwAoYvaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvcm9vdC1y My5jcnQwNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LXIz LmNybDBMBgNVHSAERTBDMEEGCSsGAQQBoDIBKDA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5n bG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEANyYcO+9JZYyqQt41 TMwvFWAw3vLoLOQIfIn48/yea/ekOcParTb0mbhsvVSZ6sGn+txYAZb33wIb1f4wK4xQ7+RUYBfI TuTPL7olF9hDpojC2F6Eu8nuEf1XD9qNI8zFd4kfjg4rb+AME0L81WaCL/WhP2kDCnRU4jm6TryB CHhZqtxkIvXGPGHjwJJazJBnX5NayIce4fGuUEJ7HkuCthVZ3Rws0UyHSAXesT/0tXATND4mNr1X El6adiSQy619ybVERnRi5aDe1PTwE+qNiotEEaeujz1a/+yYaaTY+k+qJcVxi7tbyQ0hi0UB3myM A/z2HmGEwO8hx7hDjKmKbDCCA18wggJHoAMCAQICCwQAAAAAASFYUwiiMA0GCSqGSIb3DQEBCwUA MEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAtIFIzMRMwEQYDVQQKEwpHbG9iYWxTaWdu MRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTA5MDMxODEwMDAwMFoXDTI5MDMxODEwMDAwMFowTDEg MB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzAR BgNVBAMTCkdsb2JhbFNpZ24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMJXaQeQZ4 Ihb1wIO2hMoonv0FdhHFrYhy/EYCQ8eyip0EXyTLLkvhYIJG4VKrDIFHcGzdZNHr9SyjD4I9DCuu l9e2FIYQebs7E4B3jAjhSdJqYi8fXvqWaN+JJ5U4nwbXPsnLJlkNc96wyOkmDoMVxu9bi9IEYMpJ pij2aTv2y8gokeWdimFXN6x0FNx04Druci8unPvQu7/1PQDhBjPogiuuU6Y6FnOM3UEOIDrAtKeh 6bJPkC4yYOlXy7kEkmho5TgmYHWyn3f/kRTvriBJ/K1AFUjRAjFhGV64l++td7dkmnq/X8ET75ti +w1s4FRpFqkD2m7pg5NxdsZphYIXAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E BTADAQH/MB0GA1UdDgQWBBSP8Et/qC5FJK5NUPpjmove4t0bvDANBgkqhkiG9w0BAQsFAAOCAQEA S0DbwFCq/sgM7/eWVEVJu5YACUGssxOGhigHM8pr5nS5ugAtrqQK0/Xx8Q+Kv3NnSoPHRHt44K9u bG8DKY4zOUXDjuS5V2yq/BKW7FPGLeQkbLmUY/vcU2hnVj6DuM81IcPJaP7O2sJTqsyQiunwXUaM ld16WCgaLx3ezQA3QY/tRG3XUyiXfvNnBB4V14qWtNPeTCekTBtzc3b0F5nCH3oO4y0IrQocLP88 q1UOD5F+NuvDV0m+4S4tfGCLw0FREyOdzvcya5QBqJnnLDMfOjsl0oZAzjsshnjJYS8Uuu7bVW/f hO4FCU29KNhyztNiUGUe65KXgzHZs7XKR1g/XzCCBOUwggPNoAMCAQICEAHjJN0wI2mc/3+MzksT WnAwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYt c2ExKjAoBgNVBAMTIUdsb2JhbFNpZ24gQXRsYXMgUjMgU01JTUUgQ0EgMjAyMDAeFw0yNDA0MDYx MTE4MjJaFw0yNDEwMDMxMTE4MjJaMCUxIzAhBgkqhkiG9w0BCQEWFHNyb2V0dGdlckBnb29nbGUu Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvIHXIMI0HWqTtuhfkP/r3i3ZPdl6 fxE2LLAUFgSs5ndj996CGvTxRYdPcAhoavN/iUJgkfIfvV7vw+/cvuIM9NOS6A3yU2HekBUlJQgU Cfqv38txrgXmMnilmpJSakN6e5gncvYbvgqe/yQwbMEIe6QaXu8203QFm2FhzENw7OzeemhkEEGs a/BLh3fLnMnlrvzKwm40ilWbHWiLxfwlSGBGitj3/Hodz8s7YH+5+BehR/xzjjmnx2tgJNllE7xe 7yM6mFqqMbe2kOvXeW5Xa1jbXviYA32lurhF3X6LSOMROBZsKkEEHiJ+uNe6KA5tpiQ/IRZVs1AS +7i9H6Z/YQIDAQABo4IB4DCCAdwwHwYDVR0RBBgwFoEUc3JvZXR0Z2VyQGdvb2dsZS5jb20wDgYD VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNVHQ4EFgQURDMQ nR7ecpsA+puTzvCj96qHvYYwVwYDVR0gBFAwTjAJBgdngQwBBQEBMEEGCSsGAQQBoDIBKDA0MDIG CCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAMBgNVHRMB Af8EAjAAMIGaBggrBgEFBQcBAQSBjTCBijA+BggrBgEFBQcwAYYyaHR0cDovL29jc3AuZ2xvYmFs c2lnbi5jb20vY2EvZ3NhdGxhc3Izc21pbWVjYTIwMjAwSAYIKwYBBQUHMAKGPGh0dHA6Ly9zZWN1 cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzYXRsYXNyM3NtaW1lY2EyMDIwLmNydDAfBgNVHSME GDAWgBR8zApo16LrHixyG9HNXZVvjfvyYzBGBgNVHR8EPzA9MDugOaA3hjVodHRwOi8vY3JsLmds b2JhbHNpZ24uY29tL2NhL2dzYXRsYXNyM3NtaW1lY2EyMDIwLmNybDANBgkqhkiG9w0BAQsFAAOC AQEAjdDkknrFd4TBCpRrVBt7+ONjRp1zmdXUj/RxRT+qPBVlu7PsoOsBvxcG6Yg4x19K5mjePIp2 6cFz/ERHyouaKp3TVj1i3H1iogUiCJtHinSibDdn3Pr/yMg5yC7g/VHuIhbfbklDISfbxBYd8cm5 eirGRzYGQ2/1AdJeeqIEYG9gc2pU/Ayh+6VBMrJre0PmBHHsyxIqA4+BUjqiPGZZHLmRFiX5DBlg 6aC+iAfkHtv3URQt3UOsCDRzbkCEEghp/6IaQMv9TgEw+yi3zrQMRY5Z9C89WvguS/U1EtnuUtct /sAaI8yuXlr7J22WGHghs+ECtTVMvgRlJOKj36rhYDGCAmowggJmAgEBMGgwVDELMAkGA1UEBhMC QkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExKjAoBgNVBAMTIUdsb2JhbFNpZ24gQXRsYXMg UjMgU01JTUUgQ0EgMjAyMAIQAeMk3TAjaZz/f4zOSxNacDANBglghkgBZQMEAgEFAKCB1DAvBgkq hkiG9w0BCQQxIgQgfx0A67KOnEjpBGnHYyzy5sGnjrISKw1EOLcsTeXAe8owGAYJKoZIhvcNAQkD MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjQwNTIzMDkzMjA1WjBpBgkqhkiG9w0BCQ8x XDBaMAsGCWCGSAFlAwQBKjALBglghkgBZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMAsG CSqGSIb3DQEBCjALBgkqhkiG9w0BAQcwCwYJYIZIAWUDBAIBMA0GCSqGSIb3DQEBAQUABIIBAEj6 UZaGvfMkxXYpJoOYnVL6Yvz9U8agWT8Q2T6xfAZiVU4H4ykbrvAh+RMam1SFDbdfRqyBYMcEZbSX XBJ0egVLZTjAdYNaCOTKf6/R9fKuuuWfB6l9JZT07A//khGjhYFE3qJD8pTRcGmrFUw4OfH54g+r NEWd4N8XpPqrHWKEg0YSKaO2k5UJR3rD/uo99AKibmanpuBPmBgDv2sbA19FOAn7DVR0rwLuj9jt 82uB2lRnKKyiYChbbCp47X5CImzYY8z3hHFmq6AJ25sXygw9VMCX97y/YRUXKRewSDMgFYoM6oLE pbHKwQylGyD5cou9+FV5iirwUfZsxxzTxo8= --00000000000060ef9206191bb9d6--