From patchwork Tue Jun 11 15:27:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adhemerval Zanella Netto X-Patchwork-Id: 803244 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:e87:b0:35b:5a80:51b4 with SMTP id dz7csp367555wrb; Tue, 11 Jun 2024 08:32:46 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVm4G3lDSm4InJqF6NLJmDk/6e8U1J/++9wq9xVWvLAf646DkrZsJcqN+MtoSW8i9GeNA32sHazY0DfDVbS+xcP X-Google-Smtp-Source: AGHT+IFnt0n/1QOlBxNso/+d/KQmnEAhs8Bm8m7DAgDJyyo2Q7KqOkUD74kzaG7t4efsnh0cEAcV X-Received: by 2002:ad4:5f0a:0:b0:6ad:764d:bf39 with SMTP id 6a1803df08f44-6b089ebe8damr46532926d6.11.1718119966370; Tue, 11 Jun 2024 08:32:46 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718119966; cv=pass; d=google.com; s=arc-20160816; b=U6Tbk2PNptKlv/HcgbhqKMtVZ3vE59DWzBY4IeVxmIx7IlTdVhbK1BnxvoHjNjyPcO yMXAe2GnKW3FJqwqcTsF4LKm2vV8fqM6sZXSmU4RvGt9OwoiLaDAoe/FjRfnwxEHRevH TEREJPCFPq8RptvrPmKGHRuGJZzUUbUw8aEM0CaBDUUGYdmxyOFIFAdiyF4mdjWtX4Ug 4woZkui5qQvS6mQyGlwvNtJ0ymmmBrB1L1WRyrBrsQRLGmRw+l5SRcLwPETEsyu7mSyX ZZHrOG6blpmRVdLUuyGtLwOUdmZ+dAph3d53oEpDOy/9HwAEd6eARhJ11P8ntLZXZsME vwZg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature :arc-filter:dmarc-filter:delivered-to; bh=pTDUOI4fHRQJhrFNSfZsgsqb8YLjI0GBJoK+xUY1dFk=; fh=Xe8CcRFBQpY3WaKalMJwtTjJfhW8yymKb7+oOheBL8A=; b=0JThLg05K7CEZF0l4f27SGTwxTe4a1+vAo8lCVUI1Yn32oCLFNIVEctjqxoY2zf9DS tT1AQ8TK5d9pGSzBG8WHSOA+MlIeyQLEKA5kyOgQ76hRKAmpqSSWxlF6F7+TyDb5hWIq RkXgIMLrM0zpboTFLDOqm54E8dmdOSR3nRFQHxBv/0vxIy9Y8EC98zxeY3Ne3AzgZt1O /WK9LEa+F6WGItyuiEbmTAOfGEE9uQ+JH8MvM/aV1ZPZ6Qx5tuEIycw9UiuIyK+X9xNO 5/yGdcUDWZSKhQjR4BlEvBqEb0VN0n+DjeraPri+39oYtTkSuCsGe7s1yPNKaY59In5h GyHg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=lJm7zpiq; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="libc-alpha-bounces+patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from server2.sourceware.org (server2.sourceware.org. [8.43.85.97]) by mx.google.com with ESMTPS id 6a1803df08f44-6b063702b2fsi100021986d6.373.2024.06.11.08.32.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 08:32:46 -0700 (PDT) Received-SPF: pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) client-ip=8.43.85.97; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=lJm7zpiq; arc=pass (i=1); spf=pass (google.com: domain of libc-alpha-bounces+patch=linaro.org@sourceware.org designates 8.43.85.97 as permitted sender) smtp.mailfrom="libc-alpha-bounces+patch=linaro.org@sourceware.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 02134385E459 for ; Tue, 11 Jun 2024 15:32:46 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) by sourceware.org (Postfix) with ESMTPS id 08A543858C5F for ; Tue, 11 Jun 2024 15:32:28 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 08A543858C5F Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=linaro.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 08A543858C5F Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::429 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1718119950; cv=none; b=mHBZcMAuAeg8a5C989Ysz53Vsa5QxTgJANKX8XoCEiW2bkJqpjhtBm1fgg7PIOME24C3uh+b2WnoGoGozjIU0LIGfIC6UyGLIeBWFjezlwmnaI4E/OaE0Pt0BuIY1yqpLrWjGNy061ShMfGkdv0FFJwVQwN1iZoSfYm18ttkQdM= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1718119950; c=relaxed/simple; bh=UM26SAajqUxBbS6BRms6VGdji/oOPZUXzEIGJ3kAAfk=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=psznuBFWOQLu0O2o1h2ZV3Vod2mKVuKF5AshaEt771hgEBZAjzSkh/U2rqcEAn/gbuoDwEaWTOU4Ca5VaTnImqUMuguSw1911vkYk8aV52iYu0JQgUb0JDtZleM73fd1iwRVGdEjQ4eGsJEfRsRtbj0FkykW5Bzlfs7oCeAzFFk= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-pf1-x429.google.com with SMTP id d2e1a72fcca58-7025f4f4572so4902925b3a.1 for ; Tue, 11 Jun 2024 08:32:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1718119946; x=1718724746; darn=sourceware.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=pTDUOI4fHRQJhrFNSfZsgsqb8YLjI0GBJoK+xUY1dFk=; b=lJm7zpiqUP8iq6umihtoATloY0xS0Whcs0Z75j17FQVNH7wQ4slbHunT2/BUNH/ycN M/C1iM3vUqkMtnsPG94aBOtvGpNiWYOtQiOEZT4TEuz/EzFBBRmgiuj/d1DW87O/UPQo EnFn1hArnE8k85wq/DwOKJHwafDFsUTNb2buEV9Nt9+LS7Yjb0PeEA4sqE0/8UPw37iA qqRSfMx3kc6fUavJFk5GH+DRrAiWcmMDoQKJ2Vx57IZMnvDUGXZihZuvI4NHzkAVHlus z8FWFJWgmYJLhit3eirItzyqIncsS5R856MX4umtS78+9rPyvGRkuoRBYPwPhMBECRML flug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718119946; x=1718724746; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=pTDUOI4fHRQJhrFNSfZsgsqb8YLjI0GBJoK+xUY1dFk=; b=CpPiTfN679ymz8YoItlLhqBSJC5Hi6YkVkXX7OCscLIasrvoPDLSFDRwQBoZDJOV3v qhTE2Vm3Rewe8P3lmcaqg56awUBkhIB+3PXm3mC6jpLDA9kgLePj36E2pbf6U3+VpIkz VOFKaWM73EQ7+ewtzDUkU0y3OC8Pu01JOhE9Q4LXHrOGEqf1puAIJkGc0cMXzhCrcBEW Rwqeyo5Hj6bPZZuFsK1mkRvA69sCLkRFskEB8/AW9b0qvJu+DKUCTULHHRZRUsEy3ihH C+u53KCJHYTeYaobuEBWEFFtO72cGC3/AByEqrGwBOHD4iCZPcuj8C90XRRPAfVyxtF+ 1Liw== X-Gm-Message-State: AOJu0YxcnLyyBOudEMf+SNTjAzDWev6pIEut5S5qKSUbMTGqzgxYz+7H OCAfv6EgPouWkH8/68SAx7OAX+VxHUu2DoUL5qp74+cZLHNyqv7cwKaFrUajjAchtbN1qKJYXef T X-Received: by 2002:a05:6a20:3948:b0:1b8:3ee2:bf02 with SMTP id adf61e73a8af0-1b86bd5f7bemr4194864637.17.1718119946301; Tue, 11 Jun 2024 08:32:26 -0700 (PDT) Received: from mandiga.. ([2804:1b3:a7c0:c5fb:1cf6:d480:34ef:aedf]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-70422c977dasm6023811b3a.62.2024.06.11.08.32.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 08:32:25 -0700 (PDT) From: Adhemerval Zanella To: libc-alpha@sourceware.org Cc: Stephen Roettger , jeffxu@chromium.org, Carlos O'Donell , Florian Weimer Subject: [RFC 0/5] Add support for memory sealing Date: Tue, 11 Jun 2024 12:27:03 -0300 Message-ID: <20240611153220.165430-1-adhemerval.zanella@linaro.org> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-Spam-Status: No, score=-5.3 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patch=linaro.org@sourceware.org The Linux 6.10 (8be7258aad44b5e25977a98db136f677fa6f4370) added the mseal syscall that allows blocking some memory operations on VMA range: * Unmapping, moving to another location, extending or shrinking the size, munmap, and mremap. * Moving or expanding a different VMA into the current location, via mremap. * Modifying the memory range with mmap along with flag MAP_FIXED. * Expanding the size with mremap. * Change the protection flags with mprotect or pkey_mprotect. * Destructive behaviors on anonymous memory, such as madvice with MADV_DONTNEED. Memory sealing might be useful as a hardening mechanism to avoid either remapping the memory segments or changing the memory protection segments layout by the dynamic loader (for instance the RELRO hardening). A similar hardening is done by OpenBSD with the mimmutable syscall [1]. The first patch removes an unrequired knob for modules without GNU_PT_STACK that prevents the RELRO memory sealing of libc. The second patch adds the mseal support for Linux. Most of the programs will not use it directly, however, some specific ones like Chrome do have the plan to use it. The third patch adds memory sealing in multiple places where the memory is supposed to be immutable over program execution: * All shared library dependencies from the binary, including the read-only segments after PT_GNU_RELRO setup. * The binary itself, including dynamic and static links. In both It is up either to binary or the loader to set up the sealing. * The vDSO vma provided by the kernel (if existent). * Any preload libraries. * Any library loaded with dlopen with RTLD_NODELETE flag. For binary dependencies, the RTLD_NODELETE signals the link_map should be sealed. It also makes dlopen objects with the flag sealed as well. The sealing is also controlled by a new tunable, glibc.rtld.seal, with three different states: 0. Disabled where no sealing is done. 1. Enabled, where the loader will issue the mseal syscall on the memory mappings but any failure will be ignored. This is the default. 2. Enforce, similar to Enabled but any failure from the mseal will terminate the process. The fourth patch adds support for the libgcc_s.so loaded during process execution. The fifth is for adding support audit modules. This patchset does not delay RELRO activation until after their ELF constructors have been executed, as suggested on the previous RFC for mseal support. It is not strictly required, and it requires extensive changes on _dl_start_user to either make _dl_init call RELRO/sealing setup after ctor/initarray is done, or call it after _dl_init. There is also the question of whether to apply RELRO/sealing per module after ctor/initarray or in bulk after _dt_init. I am still investigate this. One drawback of the Linux approach is I do not see an easy way to memory seal the stack without kernel support. The stack is not fully mapped by the kernel at program start, so even trying to add some hack on loader initialization might not be sufficient. I have tested on both x86_64-linux-gnu and aarch64-linux-gnu with Linux 6.10-rc2, along with some testing on a powerpc64le-linux-gnu VM. I also enabled glibc.rtld.seal=2 to check for possible mseal failures. [1] https://man.openbsd.org/mimmutable.2 [2] https://docs.google.com/document/d/1O2jwK4dxI3nRcOJuPYkonhTkNQfbmwdvxQMyXgeaRHo/edit#heading=h.bvaojj9fu6hc Adhemerval Zanella (5): linux: Remove __stack_prot linux: Add mseal syscall support elf: Add support to memory sealing elf: Enable RTLD_NODELETE on __libc_unwind_link_get elf: Add support to memory sealing for audit modules NEWS | 4 + elf/dl-load.c | 48 +-- elf/dl-mseal-mode.h | 29 ++ elf/dl-open.c | 4 + elf/dl-reloc.c | 49 +++ elf/dl-support.c | 7 + elf/dl-tunables.list | 6 + elf/rtld.c | 14 +- elf/setup-vdso.h | 3 + elf/tst-rtld-list-tunables.exp | 1 + include/dlfcn.h | 2 + include/link.h | 6 + manual/memory.texi | 66 ++++ manual/tunables.texi | 42 +++ misc/unwind-link.c | 5 +- string/strerrorname_np.c | 1 + sysdeps/generic/dl-mseal.h | 25 ++ sysdeps/generic/ldsodefs.h | 6 + sysdeps/unix/sysv/linux/Makefile | 48 +++ sysdeps/unix/sysv/linux/Versions | 3 + .../unix/sysv/linux/aarch64/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/aarch64/libc.abilist | 1 + sysdeps/unix/sysv/linux/alpha/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/alpha/libc.abilist | 1 + sysdeps/unix/sysv/linux/arc/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/arc/libc.abilist | 1 + sysdeps/unix/sysv/linux/arm/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/arm/be/libc.abilist | 1 + sysdeps/unix/sysv/linux/arm/le/libc.abilist | 1 + sysdeps/unix/sysv/linux/bits/mman-shared.h | 8 + sysdeps/unix/sysv/linux/csky/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/csky/libc.abilist | 1 + sysdeps/unix/sysv/linux/dl-execstack.c | 25 +- sysdeps/unix/sysv/linux/dl-mseal.c | 51 ++++ sysdeps/unix/sysv/linux/dl-mseal.h | 29 ++ sysdeps/unix/sysv/linux/hppa/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/hppa/libc.abilist | 1 + sysdeps/unix/sysv/linux/i386/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/i386/libc.abilist | 1 + sysdeps/unix/sysv/linux/kernel-features.h | 8 + sysdeps/unix/sysv/linux/lib-tst-dl_mseal-1.c | 19 ++ sysdeps/unix/sysv/linux/lib-tst-dl_mseal-2.c | 19 ++ .../sysv/linux/lib-tst-dl_mseal-dlopen-1-1.c | 19 ++ .../sysv/linux/lib-tst-dl_mseal-dlopen-1.c | 19 ++ .../sysv/linux/lib-tst-dl_mseal-dlopen-2-1.c | 19 ++ .../sysv/linux/lib-tst-dl_mseal-dlopen-2.c | 19 ++ .../sysv/linux/lib-tst-dl_mseal-preload.c | 19 ++ .../unix/sysv/linux/loongarch/arch-syscall.h | 1 + .../sysv/linux/loongarch/lp64/libc.abilist | 1 + sysdeps/unix/sysv/linux/m68k/arch-syscall.h | 1 + .../sysv/linux/m68k/coldfire/libc.abilist | 1 + .../unix/sysv/linux/m68k/m680x0/libc.abilist | 1 + .../unix/sysv/linux/microblaze/arch-syscall.h | 1 + .../sysv/linux/microblaze/be/libc.abilist | 1 + .../sysv/linux/microblaze/le/libc.abilist | 1 + .../sysv/linux/mips/mips32/arch-syscall.h | 1 + .../sysv/linux/mips/mips32/fpu/libc.abilist | 1 + .../sysv/linux/mips/mips64/n32/arch-syscall.h | 1 + .../sysv/linux/mips/mips64/n32/libc.abilist | 1 + .../sysv/linux/mips/mips64/n64/arch-syscall.h | 1 + .../sysv/linux/mips/mips64/n64/libc.abilist | 1 + sysdeps/unix/sysv/linux/nios2/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/nios2/libc.abilist | 1 + sysdeps/unix/sysv/linux/or1k/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/or1k/libc.abilist | 1 + .../linux/powerpc/powerpc32/arch-syscall.h | 1 + .../linux/powerpc/powerpc32/fpu/libc.abilist | 1 + .../powerpc/powerpc32/nofpu/libc.abilist | 1 + .../linux/powerpc/powerpc64/arch-syscall.h | 1 + .../linux/powerpc/powerpc64/be/libc.abilist | 1 + .../linux/powerpc/powerpc64/le/libc.abilist | 1 + .../unix/sysv/linux/riscv/rv32/arch-syscall.h | 1 + .../unix/sysv/linux/riscv/rv32/libc.abilist | 1 + .../unix/sysv/linux/riscv/rv64/arch-syscall.h | 1 + .../unix/sysv/linux/riscv/rv64/libc.abilist | 1 + .../sysv/linux/s390/s390-32/arch-syscall.h | 1 + .../unix/sysv/linux/s390/s390-32/libc.abilist | 1 + .../sysv/linux/s390/s390-64/arch-syscall.h | 1 + .../unix/sysv/linux/s390/s390-64/libc.abilist | 1 + sysdeps/unix/sysv/linux/sh/arch-syscall.h | 1 + sysdeps/unix/sysv/linux/sh/be/libc.abilist | 1 + sysdeps/unix/sysv/linux/sh/le/libc.abilist | 1 + .../sysv/linux/sparc/sparc32/arch-syscall.h | 1 + .../sysv/linux/sparc/sparc32/libc.abilist | 1 + .../sysv/linux/sparc/sparc64/arch-syscall.h | 1 + .../sysv/linux/sparc/sparc64/libc.abilist | 1 + sysdeps/unix/sysv/linux/syscall-names.list | 1 + sysdeps/unix/sysv/linux/syscalls.list | 1 + .../unix/sysv/linux/tst-dl_mseal-auditmod.c | 23 ++ sysdeps/unix/sysv/linux/tst-dl_mseal-static.c | 2 + sysdeps/unix/sysv/linux/tst-dl_mseal.c | 283 ++++++++++++++++++ sysdeps/unix/sysv/linux/tst-mseal.c | 67 +++++ .../unix/sysv/linux/x86_64/64/arch-syscall.h | 1 + .../unix/sysv/linux/x86_64/64/libc.abilist | 1 + .../unix/sysv/linux/x86_64/x32/arch-syscall.h | 1 + .../unix/sysv/linux/x86_64/x32/libc.abilist | 1 + 96 files changed, 993 insertions(+), 65 deletions(-) create mode 100644 elf/dl-mseal-mode.h create mode 100644 sysdeps/generic/dl-mseal.h create mode 100644 sysdeps/unix/sysv/linux/dl-mseal.c create mode 100644 sysdeps/unix/sysv/linux/dl-mseal.h create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-1.c create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-2.c create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1-1.c create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-1.c create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2-1.c create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-dlopen-2.c create mode 100644 sysdeps/unix/sysv/linux/lib-tst-dl_mseal-preload.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-auditmod.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal-static.c create mode 100644 sysdeps/unix/sysv/linux/tst-dl_mseal.c create mode 100644 sysdeps/unix/sysv/linux/tst-mseal.c