From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-alpha-return-94033-listarch-libc-alpha=sources.redhat.com@sourceware.org>
Received: (qmail 69088 invoked by alias); 5 Jul 2018 19:49:08 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Received: (qmail 68436 invoked by uid 89); 5 Jul 2018 19:49:07 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-2.3 required=5.0 tests=AWL,BAYES_00,SPF_HELO_PASS autolearn=ham version=3.3.2 spammy=Hx-languages-length:1561, ctors, mystery
X-HELO: mx1.redhat.com
Subject: Re: Run (some?) ELF constructors after applying RELRO protection
To: Rich Felker <dalias@libc.org>
Cc: GNU C Library <libc-alpha@sourceware.org>, GCC <gcc@gcc.gnu.org>,
 Binutils <binutils@sourceware.org>
References: <255b0226-8eb1-93f1-280d-ed004e52ca0e@redhat.com>
 <20180611145013.GG1392@brightrain.aerifal.cx>
 <98e7d3dd-16b2-83aa-4025-768f913eaf41@redhat.com>
 <20180611185952.GH1392@brightrain.aerifal.cx>
From: Florian Weimer <fweimer@redhat.com>
Message-ID: <b4def5f3-8d94-9d6b-31b8-705c8bcfb723@redhat.com>
Date: Thu, 05 Jul 2018 19:49:00 -0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <20180611185952.GH1392@brightrain.aerifal.cx>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-SW-Source: 2018-07/txt/msg00148.txt.bz2

On 06/11/2018 08:59 PM, Rich Felker wrote:
>>> If the application already has to annotate that the data is
>>> going to be read-only after ctors, it can just page-align/page-pad the
>>> data itself and call mprotect with minimal additional effort, and no
>>> complex interaction between application code and relro (which is about
>>> RELocations not arbitrary data protection).
>> Is this really supported?  We currently do not provide programmatic
>> access to the largest supported page size of a target architecture,
>> I think.  The link editor knows of it, of course, but beyond that,
>> it's a bit of a mystery.  It's not just about cross-compilation.
>> Even if you check the run-time page size, it might not give you the
>> right answer.
> Hmm, that's a good point. In that case something new is needed. If you
> really want to do it with the dynamic linker, I think it should be a
> new program header though rather than a flag, and a new section/pages
> separate from RELRO (since it's more like POSTCTORRO).

Perhaps we shoud add a suitable #define to <sys/mman.h>, like 
MAXIMUM_PAGE_SIZE.  Then an application could declare an object this way:

union
{
   struct data data;
   char __minimum_size[MAXIMUM_PAGE_SIZE];
} data __attribute__ ((aligned (MAXIMUM_PAGE_SIZE)));

Hopefully, this will be sufficient to make it safe for applications to 
call mprotect or pkey_mprotect on the actual data.  I always feel bad 
about manipulating memory with mprotect which I have not mapped myself.

Florian