From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on2087.outbound.protection.outlook.com [40.107.8.87]) by sourceware.org (Postfix) with ESMTPS id B10843858C52; Wed, 4 Oct 2023 14:04:58 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org B10843858C52 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=arm.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=arm.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tVFBXvHUK48vArXRndJ7NqvzTCkm9e6C1CFnBI6KbII=; b=oOytpNbf1xfWkdk+7W0XVroA2Wfp3CV8Y04wk9XDT/35jm2x1qf1l7uxPvp8LxGopYYBjKGrawtTnW/TBANNQWAZav8KN0bhQno78c1qWMavQYsoJjp4aTLwe8zVpOe2SHY262e72AUfAOQLem4DSV+4eyXCE6GdwuVl+D46yXQ= Received: from DB8PR03CA0022.eurprd03.prod.outlook.com (2603:10a6:10:be::35) by PA4PR08MB7385.eurprd08.prod.outlook.com (2603:10a6:102:2a0::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6838.33; Wed, 4 Oct 2023 14:04:52 +0000 Received: from DBAEUR03FT009.eop-EUR03.prod.protection.outlook.com (2603:10a6:10:be:cafe::47) by DB8PR03CA0022.outlook.office365.com (2603:10a6:10:be::35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6838.33 via Frontend Transport; Wed, 4 Oct 2023 14:04:52 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; pr=C Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DBAEUR03FT009.mail.protection.outlook.com (100.127.143.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6863.25 via Frontend Transport; Wed, 4 Oct 2023 14:04:52 +0000 Received: ("Tessian outbound fb5c0777b309:v211"); Wed, 04 Oct 2023 14:04:51 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: b7b4d7a403cfa44b X-CR-MTA-TID: 64aa7808 Received: from f4979e3ce7c7.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 3D8AB700-8000-444E-B479-CB079918FD40.1; Wed, 04 Oct 2023 14:04:45 +0000 Received: from EUR04-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id f4979e3ce7c7.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 04 Oct 2023 14:04:45 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VV+E1LqG6iSa+8aSmaUbY8SADhJ4K8Is+r+TIq3tu1kUatD9W4clmW3jA59p0bCNu7adD4y3WooSbHG6IwQfTLOa7EqidUglBX458UfAszxDSmwywfZJzzb7OxfF9Xn5/LLj7d386FvP6rLtbaG1AEg4kryu1f8Jknh6PA526gzxSUmHg1383IteoMiZd51USYttheq+Khv7xjmh4TUaITBrHbMnU75w18B+x6wguwgphaFwpv2jd8YkgP3Ykg47zpQRofYv7YhNTD7V/01PO1Y2mT2ppN3auN1KNthJqn8zgCKQcLQUI30JhzaXpX33/rnKJz1iKsfqqy/eXZnqig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tVFBXvHUK48vArXRndJ7NqvzTCkm9e6C1CFnBI6KbII=; b=GOeT5l3x/dYeXv6iTKWE3jtnGz7LbNYYFtmezCqulKESIH22vsXRtS8ifYe45fG2044nBKj6hnSfwTp3vGykPQ+lIXZPYmrh1KNgUa0WQcQvE95sNcoCh7BxOycvsrKOFvT6v5BTNL8Kj5Hq3lmOaa/ltIfeMLhupeS+1CNIFKG7LoeImSERM9IOnRf0iU6t8BDRtfArEVPB+Y9xLJICGm993xpTMQ3P4BdH1mUL7noACUOiTAbV5KqNZkdEfPjDW8Wq/dzlk2/WHt7I210mm61iBT7Y9bXRUyhDjq9+J61edpcsz2OAnZvzdycU6q40tJAgMT0h+L12FyBn7Dj/Wg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tVFBXvHUK48vArXRndJ7NqvzTCkm9e6C1CFnBI6KbII=; b=oOytpNbf1xfWkdk+7W0XVroA2Wfp3CV8Y04wk9XDT/35jm2x1qf1l7uxPvp8LxGopYYBjKGrawtTnW/TBANNQWAZav8KN0bhQno78c1qWMavQYsoJjp4aTLwe8zVpOe2SHY262e72AUfAOQLem4DSV+4eyXCE6GdwuVl+D46yXQ= Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com; Received: from PAXPR08MB7172.eurprd08.prod.outlook.com (2603:10a6:102:20a::19) by GVXPR08MB7797.eurprd08.prod.outlook.com (2603:10a6:150:5::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6813.28; Wed, 4 Oct 2023 14:04:40 +0000 Received: from PAXPR08MB7172.eurprd08.prod.outlook.com ([fe80::736d:8f20:56bd:a219]) by PAXPR08MB7172.eurprd08.prod.outlook.com ([fe80::736d:8f20:56bd:a219%3]) with mapi id 15.20.6838.029; Wed, 4 Oct 2023 14:04:40 +0000 Date: Wed, 4 Oct 2023 15:04:24 +0100 From: Szabolcs Nagy To: Siddhesh Poyarekar , libc-alpha@sourceware.org Cc: adhemerval.zanella@linaro.org, fweimer@redhat.com, carlos@redhat.com Subject: Re: [PATCH 2/2] aarch64: Make glibc.mem.tagging SXID_ERASE Message-ID: References: Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-ClientProxiedBy: LO4P123CA0368.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:18e::13) To PAXPR08MB7172.eurprd08.prod.outlook.com (2603:10a6:102:20a::19) MIME-Version: 1.0 X-MS-TrafficTypeDiagnostic: PAXPR08MB7172:EE_|GVXPR08MB7797:EE_|DBAEUR03FT009:EE_|PA4PR08MB7385:EE_ X-MS-Office365-Filtering-Correlation-Id: 6b10dcff-769c-4bf2-5ae9-08dbc4e2e10d x-checkrecipientrouted: true NoDisclaimer: true X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: Xdd8bEXr1HcL1YU2nGOT28y6GcBNHR6zTVEUpBCL80g4anXB7puGXA/5kWz0y1+dfew4gKYdkwBAIKte1drbHmcav8JJnur8w2OAks6l3mseT5zuVrk83tdBE30MCI3Qv8GoVb1v1dPC9ocXw9qcgbJIPNkRniKDJcLDnVipJfHaK4HDcZkB0XSSV2ZKzGAwBa9zCSMnEYXF0DxI8h2LU6McN6rNgGRSfH9ny0oMhNJ+R5h2HpgYnt2idH65ISXi+yL7Gl1FJhVPp8F2CHSLqoa5t2kx1FAe2FGWGmWIuNy8SU6zGSJH7GL5Q/oengT9TCYuV/02cBHFYZMWHNLD1JeNLHqZ6EmLXL5o8CA+YJZP2cgTs7UsS/kvd3cGtt5FdJH3psh2yRZuWxFJmu6ZIzuitX/N6s8FSaRWi3Cl9aP9gW3Z2f59j5TEp9lzRwGqY+/gtgcYSrxTLmwz4r8wmTnoH8uYiOv4xIRYW1N4Mwz13Fxqc4jSFqfmUDROtBkgUZo17QovgawxLKhxOaJEXikN5jIsnT/3rgd1aYyzN7yvB2m3qo2eggX00dpRpFid X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PAXPR08MB7172.eurprd08.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(346002)(376002)(39860400002)(366004)(396003)(136003)(230922051799003)(1800799009)(64100799003)(186009)(451199024)(83380400001)(41300700001)(4326008)(26005)(6486002)(8676002)(38100700002)(53546011)(2616005)(478600001)(6666004)(66556008)(2906002)(8936002)(66476007)(44832011)(5660300002)(66946007)(86362001)(6506007)(6512007)(316002)(36756003);DIR:OUT;SFP:1101; X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVXPR08MB7797 Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com; X-EOPAttributedMessage: 0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: DBAEUR03FT009.eop-EUR03.prod.protection.outlook.com X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id-Prvs: e5ecbdb0-6bd8-4697-b107-08dbc4e2d8a9 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: g6ILsWB6zapojCgabE5474TZsv12eB9u+31L6acILN9mbNM6/eGurlkeckdXpyz/ghIA1SO1GkpuRB2fwwgkKz8NIUeScsg+JH+VEtP5st4eFGHV9B98ZEGX7Ys/KHUUn2b8cdRA+tNcxdcY6yjMafYdvtLeIk/Osc52ppwChFBoGka6T/RyVk0ojYwHVIT1ApPKx+QG+zivokOUxoyg3FtqrGfwpE4GbMNEHFjfxLESdsrbh2Hp9EIlxOC2XIz78LeOlBkSzdu9xa7FfOgfeixmT/BMwSkdqO0T4UF0YlF/oUUnPcGySvfOjbDHf/gt9zmHkJPz3/7kCTIg9gagW+Rs5QE3T2rpxsLdZm9xrjy2PHFp+4RKgkQiqmvG3q17sjPVfQUB8eIZ7jgIX/LIyAO0/trTm+jEsXN26GV/BVvXZJDCkJz176E3pDzifFUM/NDYanxaFc3eD8Z/SMYPQbbhLr/imwVd4nXaPVQaT8UtJ1BU+Gz6Q9Kz7gSSYASUgJcZXTIGvsfgwWmia0FTZ72qVCjX7OHz+C5XaEMCui86wBxyogaUnFOME/JuUZiBXBNew5BDkZ1Goj8+72BTyel253e3okWvnpxW8hDM0/7+LWRFD8H2bOLzYsdWxx39CN1fuMGADiYowVWwXmxmWFg8rWgcM7it+K0o1bgHnW1/MqF65GBsFDUFJh/qGwb3atakqsZrkEYIOuGzhbm1aEYhfGdRNMz5K5mqXXlfGlW6cwWwhNPU5LKq5CJwUhoF X-Forefront-Antispam-Report: CIP:63.35.35.123;CTRY:IE;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:64aa7808-outbound-1.mta.getcheckrecipient.com;PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com;CAT:NONE;SFS:(13230031)(4636009)(376002)(346002)(396003)(39860400002)(136003)(230922051799003)(1800799009)(64100799003)(82310400011)(186009)(451199024)(36840700001)(40470700004)(46966006)(6486002)(478600001)(53546011)(6506007)(6666004)(6512007)(336012)(107886003)(2616005)(316002)(26005)(83380400001)(2906002)(8676002)(41300700001)(44832011)(70586007)(4326008)(5660300002)(70206006)(450100002)(8936002)(36756003)(36860700001)(47076005)(81166007)(86362001)(356005)(82740400003)(40480700001)(40460700003);DIR:OUT;SFP:1101; X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Oct 2023 14:04:52.0458 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 6b10dcff-769c-4bf2-5ae9-08dbc4e2e10d X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d;Ip=[63.35.35.123];Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-AuthSource: DBAEUR03FT009.eop-EUR03.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR08MB7385 X-Spam-Status: No, score=-5.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,FORGED_SPF_HELO,KAM_DMARC_NONE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE,TXREP,UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: The 10/04/2023 07:59, Siddhesh Poyarekar wrote: > On 2023-10-04 03:29, Szabolcs Nagy wrote: > > The 10/03/2023 16:11, Siddhesh Poyarekar wrote: > > > Limit effect of memory tagging to the same process and don't let it > > > bleed across privilege boundaries into non-setuid children of setuid > > > processes. > > > > > > Signed-off-by: Siddhesh Poyarekar > > > > the description does not match the documented behaviour of > > SXID_IGNORE. (the setuid binary passes on the setting from > > its parent, i don't see the privilege boundary crossing) > > Maybe "privilege boundary crossing" is too strong a phrase, how about "bleed > across different users or groups"? > > > and it does not explain why would you want to turn a security > > hardening feature off. > > > > i'm not against the patch as the heap tagging feature is > > very experimental at this point, but it needs a better > > explanation. > > How about: > > """ > Memory tagging is still an experimental feature, so limit propagation of > tunables across setxid binaries. > """ well i don't mind the wording, but i wanted to see an actual justification. "this is experiemental" is not useful. "limit propagation across setxid binaries" answers what the patch does, but not why. is there an actual problem you are trying to solve? do you think SXID_IGNORE is not suitable for security hardening features? what is the intended usage of it? i don't see anything immediately wrong with inheriting env from a grandparent process if in between there was a setuid process that ignored the env. (i also don't see it as very useful/necessary) > In future though, would you want SXID_IGNORE for memory tagging? I would > expect that once memory tagging becomes a stable feature you'd want it to be > enabled by default and disabled by, e.g. a systemwide tunable. I can't see > why you'd want it to go across the setxid boundary. it may not be enabled by default because of its overhead (we need hw to decide). i think it is unexpected that setxid drops env vars (ignoring is ok, but dropping is weird). i can live with the 'drop' semantics but then why do we have SXID_IGNORE?