On Wed, Feb 09, 2022 at 06:37:53PM -0800, Andy Lutomirski wrote: > On 2/8/22 18:18, Edgecombe, Rick P wrote: > > On Tue, 2022-02-08 at 20:02 +0300, Cyrill Gorcunov wrote: > > > > Still wrapping my head around the CRIU save and restore steps, but > > another general approach might be to give ptrace the ability to > > temporarily pause/resume/set CET enablement and SSP for a stopped > > thread. Then injected code doesn't need to jump through any hoops or > > possibly run into road blocks. I'm not sure how much this opens things > > up if the thread has to be stopped... > > Hmm, that's maybe not insane. > > An alternative would be to add a bona fide ptrace call-a-function mechanism. > I can think of two potentially usable variants: > > 1. Straight call. PTRACE_CALL_FUNCTION(addr) just emulates CALL addr, > shadow stack push and all. > > 2. Signal-style. PTRACE_CALL_FUNCTION_SIGFRAME injects an actual signal > frame just like a real signal is being delivered with the specified handler. > There could be a variant to opt-in to also using a specified altstack and > altshadowstack. Using ptrace() will not solve CRIU's issue with sigreturn because sigreturn is called from the victim context rather than from the criu process that controls the dump and uses ptrace(). Even with the current shadow stack interface Rick proposed, CRIU can restore the victim using ptrace without any additional knobs, but we loose an important ability to "self-cure" the victim from the parasite in case anything goes wrong with criu control process. Moreover, the issue with backward compatibility is not with ptrace but with sigreturn and it seems that criu is not its only user. So I think we need a way to allow direct calls to sigreturn that will bypass check and restore of the shadow stack. I only know that there are sigreturn users except criu that show up in Debian codesearch, and I don't know how do they use it, but for full backward compatibility we'd need to have no-CET sigreturn as default and add a new, say UC_CHECK_SHSTK flag to rt_sigframe->uc.uc_flags or even a new syscall for libc signal handling. > 2 would be more expensive but would avoid the need for much in the way of > asm magic. The injected code could be plain C (or Rust or Zig or whatever). > > All of this only really handles save, not restore. I don't understand > restore enough to fully understand the issue. Restore is more complex, will get to it later. > --Andy -- Sincerely yours, Mike.