[systemd-devel] BTI interaction between seccomp filters in systemd and glibc mprotect calls, causing service failures

[Lennart Poettering]

On Do, 22.10.20 09:29, Szabolcs Nagy (szabolcs.nagy at arm.com) wrote:

> > > The dynamic loader has to process the LOAD segments to get to the ELF
> > > note that says to enable BTI.  Maybe we could do a first pass and load
> > > only the segments that cover notes.  But that requires lots of changes
> > > to generic code in the loader.
> >
> > What if the loader always enabled BTI for PROT_EXEC pages, but then when
> > discovering that this was a mistake, mprotect() the pages without BTI? Then
> > both BTI and MDWX would work and the penalty of not getting MDWX would fall
> > to non-BTI programs. What's the expected proportion of BTI enabled code vs.
> > disabled in the future, is it perhaps expected that a distro would enable
> > the flag globally so eventually only a few legacy programs might be
> > unprotected?
>
> i thought mprotect(PROT_EXEC) would get filtered
> with or without bti, is that not the case?

We can adjust the filter in systemd to match any combination of
flags to allow and to deny.

Lennart

--
Lennart Poettering, Berlin