| Message ID | 20240611153220.165430-1-adhemerval.zanella@linaro.org |
|---|---|
| Headers | show
Delivered-To: patch@linaro.org
Received: by 2002:a05:6000:e87:b0:35b:5a80:51b4 with SMTP id dz7csp367555wrb;
Tue, 11 Jun 2024 08:32:46 -0700 (PDT)
X-Forwarded-Encrypted: i=3;
AJvYcCVm4G3lDSm4InJqF6NLJmDk/6e8U1J/++9wq9xVWvLAf646DkrZsJcqN+MtoSW8i9GeNA32sHazY0DfDVbS+xcP
X-Google-Smtp-Source:
AGHT+IFnt0n/1QOlBxNso/+d/KQmnEAhs8Bm8m7DAgDJyyo2Q7KqOkUD74kzaG7t4efsnh0cEAcV
X-Received: by 2002:ad4:5f0a:0:b0:6ad:764d:bf39 with SMTP id
6a1803df08f44-6b089ebe8damr46532926d6.11.1718119966370;
Tue, 11 Jun 2024 08:32:46 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1718119966; cv=pass;
d=google.com; s=arc-20160816;
b=U6Tbk2PNptKlv/HcgbhqKMtVZ3vE59DWzBY4IeVxmIx7IlTdVhbK1BnxvoHjNjyPcO
yMXAe2GnKW3FJqwqcTsF4LKm2vV8fqM6sZXSmU4RvGt9OwoiLaDAoe/FjRfnwxEHRevH
TEREJPCFPq8RptvrPmKGHRuGJZzUUbUw8aEM0CaBDUUGYdmxyOFIFAdiyF4mdjWtX4Ug
4woZkui5qQvS6mQyGlwvNtJ0ymmmBrB1L1WRyrBrsQRLGmRw+l5SRcLwPETEsyu7mSyX
ZZHrOG6blpmRVdLUuyGtLwOUdmZ+dAph3d53oEpDOy/9HwAEd6eARhJ11P8ntLZXZsME
vwZg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=errors-to:list-subscribe:list-help:list-post:list-archive
:list-unsubscribe:list-id:precedence:content-transfer-encoding
:mime-version:message-id:date:subject:cc:to:from:dkim-signature
:arc-filter:dmarc-filter:delivered-to;
bh=pTDUOI4fHRQJhrFNSfZsgsqb8YLjI0GBJoK+xUY1dFk=;
fh=Xe8CcRFBQpY3WaKalMJwtTjJfhW8yymKb7+oOheBL8A=;
b=0JThLg05K7CEZF0l4f27SGTwxTe4a1+vAo8lCVUI1Yn32oCLFNIVEctjqxoY2zf9DS
tT1AQ8TK5d9pGSzBG8WHSOA+MlIeyQLEKA5kyOgQ76hRKAmpqSSWxlF6F7+TyDb5hWIq
RkXgIMLrM0zpboTFLDOqm54E8dmdOSR3nRFQHxBv/0vxIy9Y8EC98zxeY3Ne3AzgZt1O
/WK9LEa+F6WGItyuiEbmTAOfGEE9uQ+JH8MvM/aV1ZPZ6Qx5tuEIycw9UiuIyK+X9xNO
5/yGdcUDWZSKhQjR4BlEvBqEb0VN0n+DjeraPri+39oYtTkSuCsGe7s1yPNKaY59In5h
GyHg==;
dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@linaro.org header.s=google header.b=lJm7zpiq;
arc=pass (i=1);
spf=pass (google.com: domain of
libc-alpha-bounces+patch=linaro.org@sourceware.org designates 8.43.85.97 as
permitted sender)
smtp.mailfrom="libc-alpha-bounces+patch=linaro.org@sourceware.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <libc-alpha-bounces+patch=linaro.org@sourceware.org>
Received: from server2.sourceware.org (server2.sourceware.org. [8.43.85.97])
by mx.google.com with ESMTPS id
6a1803df08f44-6b063702b2fsi100021986d6.373.2024.06.11.08.32.46
for <patch@linaro.org>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 11 Jun 2024 08:32:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of
libc-alpha-bounces+patch=linaro.org@sourceware.org designates 8.43.85.97 as
permitted sender) client-ip=8.43.85.97;
Authentication-Results: mx.google.com;
dkim=pass header.i=@linaro.org header.s=google header.b=lJm7zpiq;
arc=pass (i=1);
spf=pass (google.com: domain of
libc-alpha-bounces+patch=linaro.org@sourceware.org designates 8.43.85.97 as
permitted sender)
smtp.mailfrom="libc-alpha-bounces+patch=linaro.org@sourceware.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
by sourceware.org (Postfix) with ESMTP id 02134385E459
for <patch@linaro.org>; Tue, 11 Jun 2024 15:32:46 +0000 (GMT)
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com
[IPv6:2607:f8b0:4864:20::429])
by sourceware.org (Postfix) with ESMTPS id 08A543858C5F
for <libc-alpha@sourceware.org>; Tue, 11 Jun 2024 15:32:28 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 08A543858C5F
Authentication-Results: sourceware.org;
dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 08A543858C5F
Authentication-Results: server2.sourceware.org;
arc=none smtp.remote-ip=2607:f8b0:4864:20::429
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1718119950; cv=none;
b=mHBZcMAuAeg8a5C989Ysz53Vsa5QxTgJANKX8XoCEiW2bkJqpjhtBm1fgg7PIOME24C3uh+b2WnoGoGozjIU0LIGfIC6UyGLIeBWFjezlwmnaI4E/OaE0Pt0BuIY1yqpLrWjGNy061ShMfGkdv0FFJwVQwN1iZoSfYm18ttkQdM=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
t=1718119950; c=relaxed/simple;
bh=UM26SAajqUxBbS6BRms6VGdji/oOPZUXzEIGJ3kAAfk=;
h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version;
b=psznuBFWOQLu0O2o1h2ZV3Vod2mKVuKF5AshaEt771hgEBZAjzSkh/U2rqcEAn/gbuoDwEaWTOU4Ca5VaTnImqUMuguSw1911vkYk8aV52iYu0JQgUb0JDtZleM73fd1iwRVGdEjQ4eGsJEfRsRtbj0FkykW5Bzlfs7oCeAzFFk=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: by mail-pf1-x429.google.com with SMTP id
d2e1a72fcca58-7025f4f4572so4902925b3a.1
for <libc-alpha@sourceware.org>; Tue, 11 Jun 2024 08:32:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=linaro.org; s=google; t=1718119946; x=1718724746; darn=sourceware.org;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=pTDUOI4fHRQJhrFNSfZsgsqb8YLjI0GBJoK+xUY1dFk=;
b=lJm7zpiqUP8iq6umihtoATloY0xS0Whcs0Z75j17FQVNH7wQ4slbHunT2/BUNH/ycN
M/C1iM3vUqkMtnsPG94aBOtvGpNiWYOtQiOEZT4TEuz/EzFBBRmgiuj/d1DW87O/UPQo
EnFn1hArnE8k85wq/DwOKJHwafDFsUTNb2buEV9Nt9+LS7Yjb0PeEA4sqE0/8UPw37iA
qqRSfMx3kc6fUavJFk5GH+DRrAiWcmMDoQKJ2Vx57IZMnvDUGXZihZuvI4NHzkAVHlus
z8FWFJWgmYJLhit3eirItzyqIncsS5R856MX4umtS78+9rPyvGRkuoRBYPwPhMBECRML
flug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1718119946; x=1718724746;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=pTDUOI4fHRQJhrFNSfZsgsqb8YLjI0GBJoK+xUY1dFk=;
b=CpPiTfN679ymz8YoItlLhqBSJC5Hi6YkVkXX7OCscLIasrvoPDLSFDRwQBoZDJOV3v
qhTE2Vm3Rewe8P3lmcaqg56awUBkhIB+3PXm3mC6jpLDA9kgLePj36E2pbf6U3+VpIkz
VOFKaWM73EQ7+ewtzDUkU0y3OC8Pu01JOhE9Q4LXHrOGEqf1puAIJkGc0cMXzhCrcBEW
Rwqeyo5Hj6bPZZuFsK1mkRvA69sCLkRFskEB8/AW9b0qvJu+DKUCTULHHRZRUsEy3ihH
C+u53KCJHYTeYaobuEBWEFFtO72cGC3/AByEqrGwBOHD4iCZPcuj8C90XRRPAfVyxtF+
1Liw==
X-Gm-Message-State: AOJu0YxcnLyyBOudEMf+SNTjAzDWev6pIEut5S5qKSUbMTGqzgxYz+7H
OCAfv6EgPouWkH8/68SAx7OAX+VxHUu2DoUL5qp74+cZLHNyqv7cwKaFrUajjAchtbN1qKJYXef
T
X-Received: by 2002:a05:6a20:3948:b0:1b8:3ee2:bf02 with SMTP id
adf61e73a8af0-1b86bd5f7bemr4194864637.17.1718119946301;
Tue, 11 Jun 2024 08:32:26 -0700 (PDT)
Received: from mandiga.. ([2804:1b3:a7c0:c5fb:1cf6:d480:34ef:aedf])
by smtp.gmail.com with ESMTPSA id
d2e1a72fcca58-70422c977dasm6023811b3a.62.2024.06.11.08.32.23
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 11 Jun 2024 08:32:25 -0700 (PDT)
From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
To: libc-alpha@sourceware.org
Cc: Stephen Roettger <sroettger@google.com>, jeffxu@chromium.org,
Carlos O'Donell <carlos@redhat.com>, Florian Weimer <fweimer@redhat.com>
Subject: [RFC 0/5] Add support for memory sealing
Date: Tue, 11 Jun 2024 12:27:03 -0300
Message-ID: <20240611153220.165430-1-adhemerval.zanella@linaro.org>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-5.3 required=5.0 tests=BAYES_00, DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,
SPF_PASS, TXREP,
T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
<mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
<mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces+patch=linaro.org@sourceware.org
|
| Series | Add support for memory sealing | expand |
The Linux 6.10 (8be7258aad44b5e25977a98db136f677fa6f4370) added the mseal syscall that allows blocking some memory operations on VMA range: * Unmapping, moving to another location, extending or shrinking the size, munmap, and mremap. * Moving or expanding a different VMA into the current location, via mremap. * Modifying the memory range with mmap along with flag MAP_FIXED. * Expanding the size with mremap. * Change the protection flags with mprotect or pkey_mprotect. * Destructive behaviors on anonymous memory, such as madvice with MADV_DONTNEED. Memory sealing might be useful as a hardening mechanism to avoid either remapping the memory segments or changing the memory protection segments layout by the dynamic loader (for instance the RELRO hardening). A similar hardening is done by OpenBSD with the mimmutable syscall [1]. The first patch removes an unrequired knob for modules without GNU_PT_STACK that prevents the RELRO memory sealing of libc. The second patch adds the mseal support for Linux. Most of the programs will not use it directly, however, some specific ones like Chrome do have the plan to use it. The third patch adds memory sealing in multiple places where the memory is supposed to be immutable over program execution: * All shared library dependencies from the binary, including the read-only segments after PT_GNU_RELRO setup. * The binary itself, including dynamic and static links. In both It is up either to binary or the loader to set up the sealing. * The vDSO vma provided by the kernel (if existent). * Any preload libraries. * Any library loaded with dlopen with RTLD_NODELETE flag. For binary dependencies, the RTLD_NODELETE signals the link_map should be sealed. It also makes dlopen objects with the flag sealed as well. The sealing is also controlled by a new tunable, glibc.rtld.seal, with three different states: 0. Disabled where no sealing is done. 1. Enabled, where the loader will issue the mseal syscall on the memory mappings but any failure will be ignored. This is the default. 2. Enforce, similar to Enabled but any failure from the mseal will terminate the process. The fourth patch adds support for the libgcc_s.so loaded during process execution. The fifth is for adding support audit modules. This patchset does not delay RELRO activation until after their ELF constructors have been executed, as suggested on the previous RFC for mseal support. It is not strictly required, and it requires extensive changes on _dl_start_user to either make _dl_init call RELRO/sealing setup after ctor/initarray is done, or call it after _dl_init. There is also the question of whether to apply RELRO/sealing per module after ctor/initarray or in bulk after _dt_init. I am still investigate this. One drawback of the Linux approach is I do not see an easy way to memory seal the stack without kernel support. The stack is not fully mapped by the kernel at program start, so even trying to add some hack on loader initialization might not be sufficient. I have tested on both x86_64-linux-gnu and aarch64-linux-gnu with Linux 6.10-rc2, along with some testing on a powerpc64le-linux-gnu VM. I also enabled glibc.rtld.seal=2 to check for possible mseal failures. [1] https://man.openbsd.org/mimmutable.2 [2] https://docs.google.com/document/d/1O2jwK4dxI3nRcOJuPYkonhTkNQfbmwdvxQMyXgeaRHo/edit#heading=h.bvaojj9fu6hc Adhemerval Zanella (5): linux: Remove __stack_prot linux: Add mseal syscall support elf: Add support to memory sealing elf: Enable RTLD_NODELETE on __libc_unwind_link_get elf: Add support to memory sealing for audit modules NEWS | 4 + elf/dl-load.c | 48 +-- elf/dl-mseal-mode.h | 29 ++ elf/dl-open.c | 4 + elf/dl-reloc.c | 49 +++ elf/dl-support.c | 7 + elf/dl-tunables.list | 6 + elf/rtld.c | 14 +- elf/setup-vdso.h | 3 + elf/tst-rtld-list-tunables.exp | 1 + include/dlfcn.h | 2 + include/link.h | 6 + manual/memory.texi | 66 ++++ manual/tunables.texi | 42 +++ misc/unwind-link.c | 5 +- string/strerrorname_np.c | 1 + sysdeps/generic/dl-mseal.h | 25 ++ sysdeps/generic/ldsodefs.h | 6 + sysdeps/unix/sysv/linux/Makefile | 48 +++ sysdeps/unix/sysv/linux/Versions | 3 + .../unix/sysv/linux/aarch64/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/aarch64/libc.abilist | 1 + sysdeps/unix/sysv/linux/alpha/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/alpha/libc.abilist | 1 + sysdeps/unix/sysv/linux/arc/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/arc/libc.abilist | 1 + sysdeps/unix/sysv/linux/arm/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/arm/be/libc.abilist | 1 + sysdeps/unix/sysv/linux/arm/le/libc.abilist | 1 + sysdeps/unix/sysv/linux/bits/mman-shared.h | 8 + sysdeps/unix/sysv/linux/csky/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/csky/libc.abilist | 1 + sysdeps/unix/sysv/linux/dl-execstack.c | 25 +- sysdeps/unix/sysv/linux/dl-mseal.c | 51 ++++ sysdeps/unix/sysv/linux/dl-mseal.h | 29 ++ sysdeps/unix/sysv/linux/hppa/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/hppa/libc.abilist | 1 + sysdeps/unix/sysv/linux/i386/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/i386/libc.abilist | 1 + sysdeps/unix/sysv/linux/kernel-features.h | 8 + sysdeps/unix/sysv/linux/lib-tst-dl_mseal-1.c | 19 ++ sysdeps/unix/sysv/linux/lib-tst-dl_mseal-2.c | 19 ++ .../sysv/linux/lib-tst-dl_mseal-dlopen-1-1.c | 19 ++ .../sysv/linux/lib-tst-dl_mseal-dlopen-1.c | 19 ++ .../sysv/linux/lib-tst-dl_mseal-dlopen-2-1.c | 19 ++ .../sysv/linux/lib-tst-dl_mseal-dlopen-2.c | 19 ++ .../sysv/linux/lib-tst-dl_mseal-preload.c | 19 ++ .../unix/sysv/linux/loongarch/arch-syscall.h | 1 + .../sysv/linux/loongarch/lp64/libc.abilist | 1 + sysdeps/unix/sysv/linux/m68k/arch-syscall.h | 1 + .../sysv/linux/m68k/coldfire/libc.abilist | 1 + .../unix/sysv/linux/m68k/m680x0/libc.abilist | 1 + .../unix/sysv/linux/microblaze/arch-syscall.h | 1 + .../sysv/linux/microblaze/be/libc.abilist | 1 + .../sysv/linux/microblaze/le/libc.abilist | 1 + .../sysv/linux/mips/mips32/arch-syscall.h | 1 + .../sysv/linux/mips/mips32/fpu/libc.abilist | 1 + .../sysv/linux/mips/mips64/n32/arch-syscall.h | 1 + .../sysv/linux/mips/mips64/n32/libc.abilist | 1 + .../sysv/linux/mips/mips64/n64/arch-syscall.h | 1 + .../sysv/linux/mips/mips64/n64/libc.abilist | 1 + sysdeps/unix/sysv/linux/nios2/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/nios2/libc.abilist | 1 + sysdeps/unix/sysv/linux/or1k/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/or1k/libc.abilist | 1 + .../linux/powerpc/powerpc32/arch-syscall.h | 1 + .../linux/powerpc/powerpc32/fpu/libc.abilist | 1 + .../powerpc/powerpc32/nofpu/libc.abilist | 1 + .../linux/powerpc/powerpc64/arch-syscall.h | 1 + .../linux/powerpc/powerpc64/be/libc.abilist | 1 + .../linux/powerpc/powerpc64/le/libc.abilist | 1 + .../unix/sysv/linux/riscv/rv32/arch-syscall.h | 1 + .../unix/sysv/linux/riscv/rv32/libc.abilist | 1 + .../unix/sysv/linux/riscv/rv64/arch-syscall.h | 1 + .../unix/sysv/linux/riscv/rv64/libc.abilist | 1 + .../sysv/linux/s390/s390-32/arch-syscall.h | 1 + .../unix/sysv/linux/s390/s390-32/libc.abilist | 1 + .../sysv/linux/s390/s390-64/arch-syscall.h | 1 + .../unix/sysv/linux/s390/s390-64/libc.abilist | 1 + sysdeps/unix/sysv/linux/sh/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/sh/be/libc.abilist | 1 + sysdeps/unix/sysv/linux/sh/le/libc.abilist | 1 + .../sysv/linux/sparc/sparc32/arch-syscall.h | 1 + .../sysv/linux/sparc/sparc32/libc.abilist | 1 + .../sysv/linux/sparc/sparc64/arch-syscall.h | 1 + .../sysv/linux/sparc/sparc64/libc.abilist | 1 + sysdeps/unix/sysv/linux/syscall-names.list | 1 + sysdeps/unix/sysv/linux/syscalls.list | 1 + .../unix/sysv/linux/tst-dl_mseal-auditmod.c | 23 ++ sysdeps/unix/sysv/linux/tst-dl_mseal-static.c | 2 + sysdeps/unix/sysv/linux/tst-dl_mseal.c | 283 ++++++++++++++++++ sysdeps/unix/sysv/linux/tst-mseal.c | 67 +++++ .../unix/sysv/linux/x86_64/64/arch-syscall.h | 1 + .../unix/sysv/linux/x86_64/64/libc.abilist | 1 + .../unix/sysv/linux/x86_64/x32/arch-syscall.h | 1 + .../unix/sysv/linux/x86_64/x32/libc.abilist | 1 + 96 files changed, 993 insertions(+), 65 deletions(-) create mode 100644 elf/dl-mseal-mode.h create mode 100644 sysdeps/generic/dl-mseal.h create mode 100644 sysdeps/unix/sysv/linux/dl-mseal.c create mode 100644 sysdeps/unix/sysv/linux/dl-mseal.h create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-1.c create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-2.c create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1-1.c create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1.c create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2-1.c create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2.c create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-preload.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-static.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal.c create mode 100644 sysdeps/unix/sysv/linux/tst-mseal.c