Re: [systemd-devel] BTI interaction between seccomp filters in systemd and glibc mprotect calls, causing service failures
From: Lennart Poettering
Date: Thu Oct 22 2020 - 04:38:27 EST
On Do, 22.10.20 09:29, Szabolcs Nagy (szabolcs.nagy@xxxxxxx) wrote:
> > > The dynamic loader has to process the LOAD segments to get to the ELF
> > > note that says to enable BTI. Maybe we could do a first pass and load
> > > only the segments that cover notes. But that requires lots of changes
> > > to generic code in the loader.
> >
> > What if the loader always enabled BTI for PROT_EXEC pages, but then when
> > discovering that this was a mistake, mprotect() the pages without BTI? Then
> > both BTI and MDWX would work and the penalty of not getting MDWX would fall
> > to non-BTI programs. What's the expected proportion of BTI enabled code vs.
> > disabled in the future, is it perhaps expected that a distro would enable
> > the flag globally so eventually only a few legacy programs might be
> > unprotected?
>
> i thought mprotect(PROT_EXEC) would get filtered
> with or without bti, is that not the case?
We can adjust the filter in systemd to match any combination of
flags to allow and to deny.
Lennart
--
Lennart Poettering, Berlin