BTI interaction between seccomp filters in systemd and glibc mprotect calls, causing service failures
Catalin Marinas
catalin.marinas at arm.com
Fri Oct 23 05:02:32 EDT 2020
On Thu, Oct 22, 2020 at 01:02:18PM -0700, Kees Cook wrote:
> Regardless, it makes sense to me to have the kernel load the executable
> itself with BTI enabled by default. I prefer gaining Catalin's suggested
> patch[2]. :)
[...]
> [2] https://lore.kernel.org/linux-arm-kernel/20201022093104.GB1229@gaia/
I think I first heard the idea at Mark R ;).
It still needs glibc changes to avoid the mprotect(), or at least ignore
the error. Since this is an ABI change and we don't know which kernels
would have it backported, maybe better to still issue the mprotect() but
ignore the failure.
--
Catalin
More information about the linux-arm-kernel
mailing list