[systemd-devel] BTI interaction between seccomp filters in systemd and glibc mprotect calls, causing service failures

Topi Miettinen toiwoton at gmail.com
Thu Oct 22 08:17:19 UTC 2020


On 22.10.2020 10.54, Florian Weimer wrote:
> * Lennart Poettering:
> 
>> On Mi, 21.10.20 22:44, Jeremy Linton (jeremy.linton at arm.com) wrote:
>>
>>> Hi,
>>>
>>> There is a problem with glibc+systemd on BTI enabled systems. Systemd
>>> has a service flag "MemoryDenyWriteExecute" which uses seccomp to deny
>>> PROT_EXEC changes. Glibc enables BTI only on segments which are marked as
>>> being BTI compatible by calling mprotect PROT_EXEC|PROT_BTI. That call is
>>> caught by the seccomp filter, resulting in service failures.
>>>
>>> So, at the moment one has to pick either denying PROT_EXEC changes, or BTI.
>>> This is obviously not desirable.
>>>
>>> Various changes have been suggested, replacing the mprotect with mmap calls
>>> having PROT_BTI set on the original mapping, re-mmapping the segments,
>>> implying PROT_EXEC on mprotect PROT_BTI calls when VM_EXEC is already set,
>>> and various modification to seccomp to allow particular mprotect cases to
>>> bypass the filters. In each case there seems to be an undesirable attribute
>>> to the solution.
>>>
>>> So, whats the best solution?
>>
>> Did you see Topi's comments on the systemd issue?
>>
>> https://github.com/systemd/systemd/issues/17368#issuecomment-710485532
>>
>> I think I agree with this: it's a bit weird to alter the bits after
>> the fact. Can't glibc set up everything right from the begining? That
>> would keep both concepts working.
> 
> The dynamic loader has to process the LOAD segments to get to the ELF
> note that says to enable BTI.  Maybe we could do a first pass and load
> only the segments that cover notes.  But that requires lots of changes
> to generic code in the loader.

What if the loader always enabled BTI for PROT_EXEC pages, but then when 
discovering that this was a mistake, mprotect() the pages without BTI? 
Then both BTI and MDWX would work and the penalty of not getting MDWX 
would fall to non-BTI programs. What's the expected proportion of BTI 
enabled code vs. disabled in the future, is it perhaps expected that a 
distro would enable the flag globally so eventually only a few legacy 
programs might be unprotected?

-Topi


More information about the systemd-devel mailing list