From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dog.birch.relay.mailchannels.net (dog.birch.relay.mailchannels.net [23.83.209.48]) by sourceware.org (Postfix) with ESMTPS id AE3DB3857C5A for ; Wed, 4 Oct 2023 14:23:45 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org AE3DB3857C5A Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=sourceware.org Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 507B37A1B66; Wed, 4 Oct 2023 14:23:44 +0000 (UTC) Received: from pdx1-sub0-mail-a234.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 9B22F7A19EC; Wed, 4 Oct 2023 14:23:43 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1696429423; a=rsa-sha256; cv=none; b=iw8AwmvYFI+yMK+XfaXUeAOwPytCFx8coJN8WsFGn2ExGI8Usyx40yxdjyVIXR7sqO1YsJ n8hl0oMIav9Tv1fhLq0N5jjVpNFjFeXizVxtmRUlPjRSv7W5konfxbebOJ4NysVCUNlwi7 pOa6/RDw4ueuJSI00AZv58zptsfrOp1DE6PR+ULgbQjwOn2d5ZT7dNcL2Xv9KuvQfBvwPI rsAcHmYaUy/m5Gd1yMpNsnlZMCPxyooE/bhpmIqDB/0seBu5LeBWP+3vQbHJuDuMARAICS Wxyalu6JnYPsyqmvLrZ5SLwWgNQQVuOLSZVvoizqfwUb7tsIeSxy2IPI5cLIxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1696429423; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WLxhbbnVvETxx8Z9wBNsEnLdCipjB+obA54TNJLdUGI=; b=Xsvt7tF0V4IDdLMi6fMtpDZeJOmfaSezy7skAjJGHFIFABrfQYpY45Ne3YF1V7yHS42Sng HO2j2PZwjQ+Kgf83ZJoZGlRUwk3nqNv9hvljUYx6jRZ0n8A/7HVw2X1Gv7Un/Bw2wZG2T8 CWqJ3HO+K/qacyAi4bZ/9EE8HzCN2ki19/WRfBb5kgHvGv9Lys4xTMKk/2b2Fd0eFCu5OK X7nCv59prTjQN0sygHJ11Q7EWbFvwzNy4FgsFdQ8HZkaTShSrtqxSTSihrVofJ6Lpkz1w8 w21oogNcj8W1/b7xLiM+BpRjB1dycO1+45LTgYPKEFwoPeSP3i60FNCte2Yl4A== ARC-Authentication-Results: i=1; rspamd-7c449d4847-dd9d6; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Bitter-Abaft: 2711c0fc3dabe588_1696429423995_4129791043 X-MC-Loop-Signature: 1696429423995:388784717 X-MC-Ingress-Time: 1696429423995 Received: from pdx1-sub0-mail-a234.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.99.159.71 (trex/6.9.1); Wed, 04 Oct 2023 14:23:43 +0000 Received: from [192.168.2.12] (bras-vprn-toroon4834w-lp130-02-142-113-138-41.dsl.bell.ca [142.113.138.41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a234.dreamhost.com (Postfix) with ESMTPSA id 4S0xkk6Sb3z64; Wed, 4 Oct 2023 07:23:42 -0700 (PDT) Message-ID: Date: Wed, 4 Oct 2023 10:23:41 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Subject: Re: [PATCH 2/2] aarch64: Make glibc.mem.tagging SXID_ERASE Content-Language: en-US To: Szabolcs Nagy , libc-alpha@sourceware.org Cc: adhemerval.zanella@linaro.org, fweimer@redhat.com, carlos@redhat.com References: From: Siddhesh Poyarekar In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1167.3 required=5.0 tests=BAYES_00,KAM_DMARC_NONE,KAM_DMARC_STATUS,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_SOFTFAIL,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-10-04 10:04, Szabolcs Nagy wrote: > well i don't mind the wording, but i wanted to see > an actual justification. > > "this is experiemental" is not useful. > > "limit propagation across setxid binaries" answers > what the patch does, but not why. > > is there an actual problem you are trying to solve? > do you think SXID_IGNORE is not suitable for security > hardening features? what is the intended usage of it? > > i don't see anything immediately wrong with inheriting > env from a grandparent process if in between there was > a setuid process that ignored the env. (i also don't > see it as very useful/necessary) The actual problem I'm trying to solve is to get rid of SXID_IGNORE and SXID_NONE and the first step is to drop users of those levels. Supporting those levels requires additional processing in __libc_enable_secure, which is a source of bugs like CVE-2023-4911. I'm not convinced that we really *need* to have tunables go across sxid boundaries, so I want to flip the question around: do you think it is *necessary* for memory tagging tunables to percolate sxid boundaries? If not, then they should stay at SXID_ERASE. >> In future though, would you want SXID_IGNORE for memory tagging? I would >> expect that once memory tagging becomes a stable feature you'd want it to be >> enabled by default and disabled by, e.g. a systemwide tunable. I can't see >> why you'd want it to go across the setxid boundary. > > it may not be enabled by default because of its overhead > (we need hw to decide). > > i think it is unexpected that setxid drops env vars > (ignoring is ok, but dropping is weird). > > i can live with the 'drop' semantics but then why do > we have SXID_IGNORE? They were introduced for compatibility with the original semantics of MALLOC_MMAP_THRESHOLD_ and friends, that would go across sxid boundaries. In those cases too I'm not convinced that the use case really needs to be supported and that users should find a way to achieve that effect in other ways, such as having a wrapper around the non-setuid child that needs to see these tunables and export the tunables in that wrapper. The end goal here is to drop everything but SXID_ERASE so that we don't have to do string twiddling under __libc_enable_secure. The other alternative to achieve the same effect (i.e. not twiddle strings in __libc_enable_secure) could be to make *everything* SXID_IGNORE, which would then leave GLIBC_TUNABLES untouched for non-setuid children to do what they please with it. Sid