Hi, The background to this is that systemd has a configuration option called MemoryDenyWriteExecute [1], implemented as a SECCOMP BPF filter. Its aim is to prevent a user task from inadvertently creating an executable mapping that is (or was) writeable. Since such BPF filter is stateless, it cannot detect mappings that were previously writeable but subsequently changed to read-only. Therefore the filter simply rejects any mprotect(PROT_EXEC). The side-effect is that on arm64 with BTI support (Branch Target Identification), the dynamic loader cannot change an ELF section from PROT_EXEC to PROT_EXEC|PROT_BTI using mprotect(). For libraries, it can resort to unmapping and re-mapping but for the main executable it does not have a file descriptor. The original bug report in the Red Hat bugzilla - [2] - and subsequent glibc workaround for libraries - [3]. Add in-kernel support for such feature as a DENY_WRITE_EXEC personality flag, inherited on fork() and execve(). The kernel tracks a previously writeable mapping via a new VM_WAS_WRITE flag (64-bit only architectures). I went for a personality flag by analogy with the READ_IMPLIES_EXEC one. However, I'm happy to change it to a prctl() if we don't want more personality flags. A minor downside with the personality flag is that there is no way for the user to query which flags are supported, so in patch 3 I added an AT_FLAGS bit to advertise this. Posting this as an RFC to start a discussion and cc'ing some of the systemd guys and those involved in the earlier thread around the glibc workaround for dynamic libraries [4]. Before thinking of upstreaming this we'd need the systemd folk to buy into replacing the MDWE SECCOMP BPF filter with the in-kernel one. Thanks, Catalin [1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html#MemoryDenyWriteExecute= [2] https://bugzilla.redhat.com/show_bug.cgi?id=1888842 [3] https://sourceware.org/bugzilla/show_bug.cgi?id=26831 [3] https://lore.kernel.org/r/cover.1604393169.git.szabolcs.nagy@xxxxxxx Catalin Marinas (4): mm: Track previously writeable vma permission mm, personality: Implement memory-deny-write-execute as a personality flag fs/binfmt_elf: Tell user-space about the DENY_WRITE_EXEC personality flag arm64: Select ARCH_ENABLE_DENY_WRITE_EXEC arch/arm64/Kconfig | 1 + fs/binfmt_elf.c | 2 ++ include/linux/mm.h | 6 ++++++ include/linux/mman.h | 18 +++++++++++++++++- include/uapi/linux/binfmts.h | 4 ++++ include/uapi/linux/personality.h | 1 + mm/Kconfig | 4 ++++ mm/mmap.c | 3 +++ mm/mprotect.c | 5 +++++ 9 files changed, 43 insertions(+), 1 deletion(-)
