Re: [PATCH 2/2] aarch64: Make glibc.mem.tagging SXID_ERASE

public inbox for libc-alpha@sourceware.org
 help / color / mirror / Atom feed

From: Szabolcs Nagy <szabolcs.nagy@arm.com>
To: Siddhesh Poyarekar <siddhesh@sourceware.org>, libc-alpha@sourceware.org
Cc: adhemerval.zanella@linaro.org, fweimer@redhat.com, carlos@redhat.com
Subject: Re: [PATCH 2/2] aarch64: Make glibc.mem.tagging SXID_ERASE
Date: Wed, 4 Oct 2023 15:04:24 +0100	[thread overview]
Message-ID: <ZR1w6NYJBqlwTQlh@arm.com> (raw)
In-Reply-To: <f673bfd2-f590-c49d-d2f4-bbaae5c44994@sourceware.org>

The 10/04/2023 07:59, Siddhesh Poyarekar wrote:
> On 2023-10-04 03:29, Szabolcs Nagy wrote:
> > The 10/03/2023 16:11, Siddhesh Poyarekar wrote:
> > > Limit effect of memory tagging to the same process and don't let it
> > > bleed across privilege boundaries into non-setuid children of setuid
> > > processes.
> > > 
> > > Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
> > 
> > the description does not match the documented behaviour of
> > SXID_IGNORE. (the setuid binary passes on the setting from
> > its parent, i don't see the privilege boundary crossing)
> 
> Maybe "privilege boundary crossing" is too strong a phrase, how about "bleed
> across different users or groups"?
> 
> > and it does not explain why would you want to turn a security
> > hardening feature off.
> > 
> > i'm not against the patch as the heap tagging feature is
> > very experimental at this point, but it needs a better
> > explanation.
> 
> How about:
> 
> """
> Memory tagging is still an experimental feature, so limit propagation of
> tunables across setxid binaries.
> """

well i don't mind the wording, but i wanted to see
an actual justification.

"this is experiemental" is not useful.

"limit propagation across setxid binaries" answers
what the patch does, but not why.

is there an actual problem you are trying to solve?
do you think SXID_IGNORE is not suitable for security
hardening features? what is the intended usage of it?

i don't see anything immediately wrong with inheriting
env from a grandparent process if in between there was
a setuid process that ignored the env. (i also don't
see it as very useful/necessary)

> In future though, would you want SXID_IGNORE for memory tagging?  I would
> expect that once memory tagging becomes a stable feature you'd want it to be
> enabled by default and disabled by, e.g. a systemwide tunable.  I can't see
> why you'd want it to go across the setxid boundary.

it may not be enabled by default because of its overhead
(we need hw to decide).

i think it is unexpected that setxid drops env vars
(ignoring is ok, but dropping is weird).

i can live with the 'drop' semantics but then why do
we have SXID_IGNORE?

next prev parent reply	other threads:[~2023-10-04 14:04 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-03 20:11 [PATCH 0/2] make all tunables SXID_ERASE Siddhesh Poyarekar
2023-10-03 20:11 ` [PATCH 1/2] Make all malloc " Siddhesh Poyarekar
2023-10-03 20:11 ` [PATCH 2/2] aarch64: Make glibc.mem.tagging SXID_ERASE Siddhesh Poyarekar
2023-10-04  7:29   ` Szabolcs Nagy
2023-10-04 11:59     ` Siddhesh Poyarekar
2023-10-04 14:04       ` Szabolcs Nagy [this message]
2023-10-04 14:23         ` Siddhesh Poyarekar
2023-10-04 14:51           ` Szabolcs Nagy
2023-10-04 14:53             ` Siddhesh Poyarekar
2023-10-04 15:05               ` Siddhesh Poyarekar
2023-10-04 17:01             ` Adhemerval Zanella Netto
2023-10-05  8:19               ` Szabolcs Nagy
2023-10-05 12:55                 ` Siddhesh Poyarekar
2023-10-05 13:59                   ` Szabolcs Nagy
2023-10-05 14:05                     ` Siddhesh Poyarekar
2023-10-05 18:31                     ` Zack Weinberg
2023-10-05 19:11                       ` Siddhesh Poyarekar
2023-10-06 12:25                         ` Zack Weinberg
2023-10-06 12:41                           ` Siddhesh Poyarekar
2023-10-06 17:10                             ` Adhemerval Zanella Netto
2023-10-06 18:04                               ` Siddhesh Poyarekar
2023-10-08 19:51                       ` Michael Hudson-Doyle
2023-10-31 19:58                         ` Zack Weinberg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZR1w6NYJBqlwTQlh@arm.com \
    --to=szabolcs.nagy@arm.com \
    --cc=adhemerval.zanella@linaro.org \
    --cc=carlos@redhat.com \
    --cc=fweimer@redhat.com \
    --cc=libc-alpha@sourceware.org \
    --cc=siddhesh@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).