On 3.11.2020 19.34, Mark Brown wrote:
On Tue, Nov 03, 2020 at 10:25:37AM +0000, Szabolcs Nagy wrote:
Re-mmap executable segments instead of mprotecting them in
case mprotect is seccomp filtered.
For the kernel mapped main executable we don't have the fd
for re-mmap so linux needs to be updated to add BTI. (In the
presence of seccomp filters for mprotect(PROT_EXEC) the libc
cannot change BTI protection at runtime based on user space
policy so it is better if the kernel maps BTI compatible
binaries with PROT_BTI by default.)
Given that there were still some ongoing discussions on a more robust
kernel interface here and there seem to be a few concerns with this
series should we perhaps just take a step back and disable this seccomp
filter in systemd on arm64, at least for the time being?
Filtering mprotect() and mmap() with seccomp also protects BTI, since
without it the attacker could remove PROT_BTI from existing pages, or
map new pages without BTI. This would be possible even with SARA or
SELinux execmem protections enabled, since they don't care about PROT_BTI.
-Topi