On Mon, Feb 07, 2022 at 08:30:50AM -0800, Dave Hansen wrote: > On 2/6/22 23:20, Adrian Reber wrote: > >>> CRIU Support > >>> ------------ > >>> In the past there was some speculation on the mailing list about > >>> whether CRIU would need to be taught about CET. It turns out, it does. > >>> The first issue hit is that CRIU calls sigreturn directly from its > >>> “parasite code” that it injects into the dumper process. This violates > >>> this shadow stack implementation’s protection that intends to prevent > >>> attackers from doing this. > ... > >>From the CRIU side I can say that I would definitely like to see this > > resolved. CRIU just went through a similar exercise with rseq() being > > enabled in glibc and CI broke all around for us and other projects > > relying on CRIU. Although rseq() was around for a long time we were not > > aware of it but luckily 5.13 introduced a way to handle it for CRIU with > > ptrace. An environment variable existed but did not really help when > > CRIU is called somewhere in the middle of the container software stack. > > > >>From my point of view a solution not involving an environment variable > > would definitely be preferred. > > Have there been things like this for CRIU in the past? Something where > CRIU needs control but that's also security-sensitive? Generally CRIU requires (almost) root privileges to work, but I don't think it handles something as security sensitive and restrictive as shadow stacks. > Any thoughts on how you would _like_ to see this resolved? Ideally, CRIU will need a knob that will tell the kernel/CET machinery where the next RET will jump, along the lines of restore_signal_shadow_stack() AFAIU. But such a knob will immediately reduce the security value of the entire thing, and I don't have good ideas how to deal with it :( -- Sincerely yours, Mike.
