[PATCH v2 2/2] elf: Make non-executable stack disable by default

[Adhemerval Zanella Netto]

On 14/06/24 14:56, Zack Weinberg wrote:
> On Fri, Jun 14, 2024, at 8:50 AM, Adhemerval Zanella wrote:
>> It is past time to not allow executable stacks as default, even if
>> kernel protection like SELinux already exists (although not widely
>> deployed).  Binutils 2.39 now warns of the need of executable stacks
>> by default [1] and gcc nested function trampolines can now be heap
>> based [2] (besides being a gcc-only extension).
> 
> I want to be clear that I fully support disallowing executable stacks
> by default, and, in fact, removing the code to support them.  If Florian
> thinks we need a transition period, then I believe him, but I think
> we should be loud and specific about the timeline toward complete
> removal, and that timeline should be as short as possible.
> Something like:
> 
> 2.40:
>   - executable stacks disabled for setuid binaries and dlopened
>     modules, with no override
>   - for non-setuid binaries, an executable stack will continue
>     to be provided based on PT_GNU_EXECSTACK, but we only
>     look at the main executable and its static dependencies
>     for that annotation
>   - tunable allows executable stacks to be turned off system-wide
> 
> 2.41:
>   - flip the default for the tunable: executable stacks are off
>     system-wide but can be re-enabled (for binaries that request them)
> 
> 2.43 (one year after the release of 2.41), assuming hurd and hppa-linux
> have caught up:
>   - all support code for executable stacks permanently removed
> 
>> For compatibility, a new tunable, glibc.rtld.noexecstack

Thanks for the feedback and this seems reasonable.  I will update my
patch to:

  1. Remove the executable stack switch that change the stack permission
     all running thread on dlopen case.  This would remove the support of
     loading a module with executable stack from a process with nx-stack
     set for setuid and non-setuid binaries.

     If the main process requires an executable stack, the loader and libc
     will continue to both change the top of stack permission and create
     executable stack with executable bit.

  2. Add a tunable to disable executable stacks altogether, and defaults
     it to not enforce it.

  3. Remove executable stack support altogether from setuid binaries.

And later on 2.41 we can switch the tunable default to disable executable
stacks.

> 
> Can we please call this tunable glibc.rtld.execstack instead of
> glibc.rtld.noexecstack, with a value of 0 meaning executable
> stacks are forbidden and 1 meaning they are allowed?  The double
> negative is going to confuse people.

Yeah, I am unsure about the naming (I used the usual binutils naming
to disable stack on x86).  I will change to execstack.