Re: [PATCH RFC RFT 2/5] fork: Add shadow stack support to clone3()

[Edgecombe, Rick P]

On Fri, 2023-10-27 at 12:49 +0100, Szabolcs.Nagy@xxxxxxx wrote:
> no. the lifetime is the issue: a stack in principle can outlive
> a thread and resumed even after the original thread exited.
> for that to work the shadow stack has to outlive the thread too.

Hmm, this makes me think about the tracing usages.

> 
> (or the other way around: a stack can be freed before the thread
> exits, if the thread pivots away from that stack.)
> 
> posix threads etc. don't allow this, but the linux syscall abi
> (clone) does allow it.
> 
> i think it is reasonable to tie the shadow stack lifetime to the
> thread lifetime, but this clearly introduces a limitation on how
> the clone api can be used. such constraint on the userspace
> programming model is normally a bad decision, but given that most
> software (including all posix conforming code) is not affected,
> i think it is acceptable for an opt-in feature like shadow stack.

Do you have any updated plans to share around your earlier ideas for
token schemes that try to shoot for more compatibility or security?