Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 23 Oct 2020 18:52:50 +0100
From: Salvatore Mesoraca <>
To: Topi Miettinen <>
Cc: Kees Cook <>, Szabolcs Nagy <>, 
	Jeremy Linton <>, 
	"" <>,,, 
	"" <>, Mark Rutland <>, 
	Mark Brown <>, Dave Martin <>, 
	Catalin Marinas <>, Will Deacon <>, 
	Kernel Hardening <>,
Subject: Re: BTI interaction between seccomp filters in systemd and glibc
 mprotect calls, causing service failures


On Thu, 22 Oct 2020 at 23:24, Topi Miettinen <> wrote:
> SARA looks interesting. What is missing is a prctl() to enable all W^X
> protections irrevocably for the current process, then systemd could
> enable it for services with MemoryDenyWriteExecute=yes.

SARA actually has a procattr[0] interface to do just that.
There is also a library[1] to help using it.

> I didn't also see specific measures against memfd_create() or file
> system W&X, but perhaps those can be added later.

You are right, there are no measures against those vectors.
It would be interesting to add them, though.

> Maybe pkey_mprotect()
> is not handled either unless it uses the same LSM hook as mprotect().

IIRC mprotect is implemented more or less as a pkey_mprotect with -1 as pkey.
The same LSM hook should cover both.



Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.