On Mon, May 08, 2023 at 08:21:16PM +0300, Topi Miettinen wrote: > On 8.5.2023 17.10, Catalin Marinas wrote: > > I think we should keep the original behaviour of systemd here, otherwise > > they won't transition to the new interface and keep using the SECCOMP > > BPF approach (which, in addition, prevents glibc from setting PROT_BTI > > on an already executable mapping). > > Systemd has transitioned to prctl(PR_SET_MDWE) method since release of v253, > so the original behaviour definitely should be kept. That's great. So yes, no ABI changes allowed anymore. > > x86 has protection keys and arm64 will soon have permission overlays > > that allow user-space to toggle between RX and RW (Joey is looking at > > the arm64 support). I'm not sure how we'll end up implemented this on > > arm64 (and haven't looked at x86) but I have a suspicion MDWE will get > > in the way as the base page table permission will probably need > > PROT_WRITE|PROT_EXEC. > > Wouldn't those features defeat any gains from MDWE? The features probably > should be forbidden with MemoryDenyWriteExecute=yes. The permission overlays (controlled by the user) can only further restrict the mmap() permissions. So MDWE would still work as expected. If one wants to toggle between RW and RX with overlays, the overall mmap() needs to be RWX and it won't work if MDWE=yes. No need to explicitly disable the overlays feature. On arm64 at least, with the introduction of permission overlays we also have the notion of "Read, Execute if not Write". This permission automatically disables Exec if the mapping becomes writable (overlays can disable writable, allowing exec). We could have a new MDWE policy which allows this, though I'm not that keen on using it in Linux since background permission changes done by the kernel can lead to an unexpected executable permission (e.g. marking a page read-only for clean/dirty tracking or in preparation for CoW after fork()). -- Catalin
