From patchwork Fri Feb 5 17:38:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Brown X-Patchwork-Id: 41951 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 700BE39F4435; Fri, 5 Feb 2021 17:39:44 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 700BE39F4435 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1612546784; bh=L2UHFCa9Zc51PE0WWey49NT4Bzo8RBLP6MzntQCF0a8=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=rlFFlArqG9iaLogb1lIAz5yjYu0vA9s8wOdcCDMV7nyqZV8q3J4uK/p63wYl8SB0j +IQBUiAGrJNHj6z/JwJFcmK3qs5eyvxYAcwO7OuRZO0aPGOItRPxl8cFp/SzLo2nGj LpKsyMONyzmlG3sM/23S4yUoF42j21ArIVh4mW/Y= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by sourceware.org (Postfix) with ESMTPS id 297F3385802B for ; Fri, 5 Feb 2021 17:39:41 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 297F3385802B Received: by mail.kernel.org (Postfix) with ESMTPSA id B6DE260C3F; Fri, 5 Feb 2021 17:39:39 +0000 (UTC) To: Catalin Marinas , Will Deacon Subject: [PATCH] arm64: bti: Set PROT_BTI on all BTI executables mapped by the kernel Date: Fri, 5 Feb 2021 17:38:37 +0000 Message-Id: <20210205173837.39315-1-broonie@kernel.org> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-Patch-Hashes: v=1; h=sha256; i=7zN43aXdXMdmfaLj4FX8gMm7a76OOvJsogge4/nn8Y4=; m=dy0D/ccU8fG3zSNioE+eBi2SH0YOdNWPkq8kfTP7sq8=; p=fDryMjcYCFaY94nuNd8JVY/L7W1xGukVcWRmSZ1mHXY=; g=0f8818e661955edd30fd55277d55e6b5dbe31f48 X-Patch-Sig: m=pgp; i=broonie@kernel.org; s=0xC3F436CA30F5D8EB; b=iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmAdgP4ACgkQJNaLcl1Uh9AN/gf+N1V Uu7Zv9yx+E+3Fn5F8dUqn4p4hjv2ILNoQzG1dwNQljW8z/HJyyR8Gm+zsHfWyBJ3D5kAIxXAQzjq4 GJ7dLF1uWNcsRzT/nZQGqTMBI4jOhb4Rb0RR4hH4zpAGZ5OWasC2Dd+u+6nVzyRs2Nv+31w/LQoBr ggZGk18HL66O+jaOd14DGLjVWpbbjKTytnGiq3T66p/JEm9IN5lRNjHWeEjshkSsy1auIxZfjLzPZ GXXmR7U865dKTjdT7y5jG5087vu5HUXQNn1vNBPREm06p+k78Qby+4s3baWUnHmmbgaZiewJjqm6v 4RqYRxexAbQNyWZr7/EI/nhPpVgQwWQ== X-Spam-Status: No, score=-9.9 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Mark Brown via Libc-alpha From: Mark Brown Reply-To: Mark Brown Cc: Mark Rutland , libc-alpha@sourceware.org, Kees Cook , Jeremy Linton , Mark Brown , Dave Martin , linux-arm-kernel@lists.infradead.org Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" Currently for dynamically linked executables the kernel only enables PROT_BTI for the interpreter, the interpreter is responsible for enabling it for everything else including the main executable. Unfortunately this interacts poorly with systemd's MemoryDenyWriteExecute feature which uses a seccomp filter to prevent setting PROT_EXEC on already mapped memory via mprotect(), it lacks the context to detect that PROT_EXEC is already set and so refuses to allow the mprotect() on the main executable which the kernel has already mapped. Since we don't want to force users to choose between having MDWX and BTI as these are othogonal features have the kernel enable PROT_BTI for all the ELF objects it loads, not just the dynamic linker. This means that if there is a problem with BTI it will be harder to disable at the executable level but we currently have no conditional support for this in any libc anyway so that would be new development. Ideally we would have interfaces that allowed us to more clearly specify what is enabled and disabled by a given syscall but this would be a far more difficult change to deploy. Reported-by: Jeremy Linton Suggested-by: Catalin Marinas Signed-off-by: Mark Brown Cc: Mark Rutland Cc: Szabolcs Nagy Cc: Dave Martin Cc: Kees Cook Cc: libc-alpha@sourceware.org Reviewed-by: Catalin Marinas Reviewed-by: Dave Martin --- This solution was proposed by Catalin, I'm just writing it up into a patch since it looks to be what we've converged on as the most practical solution and but things seemed to have stalled out. arch/arm64/kernel/process.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c index 71c8265b9139..0967f9e1f9fd 100644 --- a/arch/arm64/kernel/process.c +++ b/arch/arm64/kernel/process.c @@ -717,14 +717,6 @@ asmlinkage void __sched arm64_preempt_schedule_irq(void) int arch_elf_adjust_prot(int prot, const struct arch_elf_state *state, bool has_interp, bool is_interp) { - /* - * For dynamically linked executables the interpreter is - * responsible for setting PROT_BTI on everything except - * itself. - */ - if (is_interp != has_interp) - return prot; - if (!(state->flags & ARM64_ELF_BTI)) return prot;