Re: Shadow stack enabling from dynamic loader v/s kernel on exec

From: Edgecombe, Rick P
Date: Mon Nov 27 2023 - 12:32:34 EST


On Sat, 2023-11-25 at 11:35 +0000, Mark Brown wrote:
> On Wed, Nov 22, 2023 at 04:19:51PM -0800, Deepak Gupta wrote:
>
> > "Was there any other reason other than supporting ELF binaries that
> > went ahead of kernel changes that
> > led to decision of delegating of shadow stack enabling in dynamic
> > loader"
>
> > If there are other complications that can happen due to kernel
> > enabling of shadow stack based on ELF bits,
> > I would like to know about them.
>
> This wouldn't play nicely with security policies that prevent
> disabling
> the shadow stacks - it would be fine with the prctl() based locking
> but
> something imposed externally with seccomp or similar would be there
> from
> process start.

IIRC we discussed this at some point. Yea, the downside is that exec
doesn't know if all the linked libraries will have shadow stack. So for
compatibility, it would need to leave the "disable" prctl() available
for the loader to use.

On x86 there was discussion of having a WRSS elf bit. (I mention it
towards the similar features on the other archs) But this bit would
work differently. Instead of enabling it if ALL of the DSOs supported
shadow stack, WRSS would be enabled if ANY of the DSOs needed WRSS.
Exec-time enabling would have trouble knowing what to do about this. It
could leave it unlocked to pick later, but this doesn't seem great in a
security focused runtime environment. So a seccomp mode starts to seem
like a separate enabling mode with it's own rules, in which case it
could be left for the future.

I don't think doing exec based enabling will impact the app developers
expectations, because it should be confined to the loader. So it's fine
either way from my perspective.

>
> I'll also note that for arm64 BTI where we're less concerned with
> compatibility (since the protection is per page we only need to make
> sure that each ELF image is BTI enabled when we map it, we don't need
> to
> worry about any further code that might be mapped/loaded) we only
> enforce BTI for the dynamic loader, we still leave it to the dynamic
> loader to remap the main executable as BTI.  The architecture
> maintainers have a strong preference for delegating as much as
> possible
> to userspace in order to reduce the potential for being locked into
> an
> unwanted policy or having difficulty in working around breakage.  The
> issues on x86 are an example of the sort of situation people are
> worried
> about seeing in future.  I personally would be OK with directly
> interpreting the ELF markings there but it wasn't the consensus.
>
> On arm64 there would be the potential for disrupting some limited and
> theoretical use cases where GCS is enabled even though some libraries
> do
> not support it

On x86 we see this case already in testing. Why do you think it is
theoretical?