Re: BTI interaction between seccomp filters in systemd and glibc mprotect calls, causing service failures
From: Florian Weimer
Date: Mon Oct 26 2020 - 12:46:29 EST
* Dave Martin via Libc-alpha:
> Would it now help to add something like:
>
> int mchangeprot(void *addr, size_t len, int old_flags, int new_flags)
> {
> int ret = -EINVAL;
> mmap_write_lock(current->mm);
> if (all vmas in [addr .. addr + len) have
> their mprotect flags set to old_flags) {
>
> ret = mprotect(addr, len, new_flags);
> }
>
> mmap_write_unlock(current->mm);
> return ret;
> }
I suggested something similar as well. Ideally, the interface would
subsume pkey_mprotect, though, and have a separate flags argument from
the protection flags. But then we run into argument list length limits.
Thanks,
Florian
--
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill