On Tue, Nov 03, 2020 at 05:34:38PM +0000, Mark Brown wrote: > On Tue, Nov 03, 2020 at 10:25:37AM +0000, Szabolcs Nagy wrote: > > > Re-mmap executable segments instead of mprotecting them in > > case mprotect is seccomp filtered. > > > For the kernel mapped main executable we don't have the fd > > for re-mmap so linux needs to be updated to add BTI. (In the > > presence of seccomp filters for mprotect(PROT_EXEC) the libc > > cannot change BTI protection at runtime based on user space > > policy so it is better if the kernel maps BTI compatible > > binaries with PROT_BTI by default.) > > Given that there were still some ongoing discussions on a more robust > kernel interface here and there seem to be a few concerns with this > series should we perhaps just take a step back and disable this seccomp > filter in systemd on arm64, at least for the time being? That seems > safer than rolling out things that set ABI quickly, a big part of the > reason we went with having the dynamic linker enable PROT_BTI in the > first place was to give us more flexibility to handle any unforseen > consequences of enabling BTI that we run into. We are going to have > similar issues with other features like MTE so we need to make sure that > whatever we're doing works with them too. > > Also updated to Will's current e-mail address - Will, do you have > thoughts on what we should do here?
Changing the kernel to map the main executable with PROT_BTI by default is a user-visible change in behaviour and not without risk, so if we're going to do that then it needs to be opt-in because the current behaviour has been there since 5.8. I suppose we could shoe-horn in a cmdline option for 5.10 (which will be the first LTS with BTI) but it would be better to put up with the current ABI if possible. Is there real value in this seccomp filter if it only looks at mprotect(), or was it just implemented because it's easy to do and sounds like a good idea? Will