From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by sourceware.org (Postfix) with ESMTPS id BDB553858D20 for ; Fri, 4 Feb 2022 13:12:00 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org BDB553858D20 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 05AB0B8373A; Fri, 4 Feb 2022 13:11:59 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id CDE56C004E1; Fri, 4 Feb 2022 13:11:55 +0000 (UTC) Date: Fri, 4 Feb 2022 13:11:52 +0000 From: Catalin Marinas To: Mark Brown Cc: Will Deacon , Szabolcs Nagy , Jeremy Linton , "H . J . Lu" , Yu-cheng Yu , linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org, libc-alpha@sourceware.org, Dave Martin Subject: Re: [PATCH v8 2/4] arm64: Enable BTI for main executable as well as the interpreter Message-ID: References: <20220124150704.2559523-1-broonie@kernel.org> <20220124150704.2559523-3-broonie@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220124150704.2559523-3-broonie@kernel.org> X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS, KAM_DMARC_STATUS, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Feb 2022 13:12:02 -0000 On Mon, Jan 24, 2022 at 03:07:02PM +0000, Mark Brown wrote: > Currently for dynamically linked ELF executables we only enable BTI for > the interpreter, expecting the interpreter to do this for the main > executable. This is a bit inconsistent since we do map main executable and > is causing issues with systemd's MemoryDenyWriteExecute feature which is > implemented using a seccomp filter which prevents setting PROT_EXEC on > already mapped memory and lacks the context to be able to detect that > memory is already mapped with PROT_EXEC. > > Resolve this by checking the BTI property for the main executable and > enabling BTI if it is present when doing the initial mapping. This does > mean that we may get more code with BTI enabled if running on a system > without BTI support in the dynamic linker, this is expected to be a safe > configuration and testing seems to confirm that. Alternatively we could only enable BTI on the main executable if the interpreter is also compiled with the BTI attributes. But it still feels a bit inconsistent as a BTI-capable interpreter doesn't necessarily mean it had to be compiled with BTI support. > It also reduces the > flexibility userspace has to disable BTI but it is expected that for cases > where there are problems which require BTI to be disabled it is more likely > that it will need to be disabled on a system level. That's my expectation as well. I'm not aware of any plans to make a dynamic loader choose BTI based on some environment variable (not sure about Android zygote, I haven't heard anything either). > Signed-off-by: Mark Brown > Reviewed-by: Dave Martin > Tested-by: Jeremy Linton For this patch: Reviewed-by: Catalin Marinas