Message from discussion Updated: [PATCH] hardening: add PROT_FINAL prot flag to mmap/mprotect
Received: by 10.66.74.102 with SMTP id s6mr1482085pav.21.1349347203401;
Thu, 04 Oct 2012 03:40:03 -0700 (PDT)
From: Ard Biesheuvel <ard.biesheu...@gmail.com>
Subject: Re: Updated: [PATCH] hardening: add PROT_FINAL prot flag to mmap/mprotect
Date: Thu, 04 Oct 2012 12:40:02 +0200
References: <jyvKP-1K8firstname.lastname@example.org> <jAEAjemail@example.com> <jAI1c-5iVfirstname.lastname@example.org> <jQhq2email@example.com> <jQivL-6Qxfirstname.lastname@example.org> <jQiYOemail@example.com> <jQjiafirstname.lastname@example.org> <jQljXemail@example.com> <jQyqSfirstname.lastname@example.org> <jQOYG-5bOemail@example.com>
X-Original-To: Mikael Pettersson <mi...@it.uu.se>
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
Organization: linux.* mail to news gateway
X-Original-Cc: Hugh Dickins <hu...@google.com>,
Andrew Morton <a...@linux-foundation.org>,
Kees Cook <keesc...@chromium.org>, linux-ker...@vger.kernel.org
X-Original-Date: Thu, 4 Oct 2012 12:33:38 +0200
Content-Type: text/plain; charset=ISO-8859-1
2012/10/4 Mikael Pettersson <mi...@it.uu.se>:
> - If .text is mapped non-writable and final, how would a debugger
> (or any ptrace-using monitor-like application) plant a large
> number of breakpoints in a target process? Breakpoint registers
> aren't enough because (a) they're few in number, and (b) not
> all CPUs have them.
ptrace() doesn't care whether or not the process itself can write to
its .text segment.
> - You're proposing to give one component (the dynamic linker/
> loader) absolute power to impose new policies on all
> applications. How would an application that _deliberately_
> does something the new policies don't allow tell the dynamic
> linker or kernel to get out of its way?
You are debating cases in which the userland would choose not to use
the feature. That is exactly the point of this patch: the kernel
supplies the feature and it is up to the userland to use it when
desired. If not in the loader, perhaps processes running setuid
binaries or browser sandboxes could choose to call mprotect() to
finalize some of their existing mappings (their stack?) before handing
over to less trusted code or opening up to the network.
> This clearly changes the de-facto ABIs, and as such I think
> it needs much more detailed analysis than what you've done
Could we at least agree on the fundamental notion that the special
powers the loader has to modify .text and .rodata sections are hardly
ever needed by the programs themselves? In that sense, this is similar
to dropping root privileges when not required anymore, and that is
typically recognized as a sensible idea.
> At the very least I think this change should be opt-in, but
> that would require a kernel option or sysctl, or some config
> file for the user-space dynamic linker/loader.
As long as the kernel does not impose its use, I don't see a reason
for an interface into the kernel to deactivate it.
I would be interested in learning about example cases that have a
valid need to modify their own code and constant data, as
understanding those would greatly help in designing the ways userland
should be able to have control over this.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/