On Thu, 2023-11-16 at 18:41 +0000, Mark Brown wrote:
What about a CLONE_NEW_SHSTK for clone3 that forces a new shadow stack? So keep the existing logic, but the new flag can override the logic for !CLONE_VM and CLONE_VFORK if the caller wants. The behavior of shadow_stack_size is then simple. 0 means use default size, !0 means use the passed size. No need to overload and tie up args->stack.
That does seem like it cuts through the ambiguous cases. If we go for that it feels like we should require the flag when specifying a size, just to be sure that everything is clear. Though having said that we could just always allocate a shadow stack if a size is specified regardless of the flags, requiring people who want non-default behaviour to have some idea what stack size they want. I don't think I have strong opinons between having the new flag or always allocating a stack if a size is specified.
Either of those seem fine to me, but it would be nice to get it vetted by the libc folks before committing. I'd maybe lean towards the one you suggested without the new flag.