Date: Fri, 23 Oct 2020 18:52:50 +0100 From: Salvatore Mesoraca <s.mesoraca16@...il.com> To: Topi Miettinen <toiwoton@...il.com> Cc: Kees Cook <keescook@...omium.org>, Szabolcs Nagy <szabolcs.nagy@....com>, Jeremy Linton <jeremy.linton@....com>, "linux-arm-kernel@...ts.infradead.org" <linux-arm-kernel@...ts.infradead.org>, libc-alpha@...rceware.org, systemd-devel@...ts.freedesktop.org, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, Mark Rutland <mark.rutland@....com>, Mark Brown <broonie@...nel.org>, Dave Martin <dave.martin@....com>, Catalin Marinas <Catalin.Marinas@....com>, Will Deacon <will.deacon@....com>, Kernel Hardening <kernel-hardening@...ts.openwall.com>, linux-hardening@...r.kernel.org Subject: Re: BTI interaction between seccomp filters in systemd and glibc mprotect calls, causing service failures Hi, On Thu, 22 Oct 2020 at 23:24, Topi Miettinen <toiwoton@...il.com> wrote: > SARA looks interesting. What is missing is a prctl() to enable all W^X > protections irrevocably for the current process, then systemd could > enable it for services with MemoryDenyWriteExecute=yes. SARA actually has a procattr interface to do just that. There is also a library to help using it. > I didn't also see specific measures against memfd_create() or file > system W&X, but perhaps those can be added later. You are right, there are no measures against those vectors. It would be interesting to add them, though. > Maybe pkey_mprotect() > is not handled either unless it uses the same LSM hook as mprotect(). IIRC mprotect is implemented more or less as a pkey_mprotect with -1 as pkey. The same LSM hook should cover both. Salvatore  https://firstname.lastname@example.org/  https://github.com/smeso/libsara
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.