Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S934145AbcCIVNv (ORCPT <rfc822;w@1wt.eu>);
	Wed, 9 Mar 2016 16:13:51 -0500
Received: from mail-am1on0082.outbound.protection.outlook.com ([157.56.112.82]:64775
	"EHLO emea01-am1-obe.outbound.protection.outlook.com"
	rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
	id S1752167AbcCIVNn (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Wed, 9 Mar 2016 16:13:43 -0500
Authentication-Results: infradead.org; dkim=none (message not signed)
 header.d=none;infradead.org; dmarc=none action=none header.from=mellanox.com;
Subject: Re: [PATCH v10 09/12] arch/x86: enable task isolation functionality
To: Andy Lutomirski <luto@amacapital.net>
References: <1456949376-4910-1-git-send-email-cmetcalf@ezchip.com>
 <1456949376-4910-10-git-send-email-cmetcalf@ezchip.com>
 <CALCETrX6wJHC_yBGy7H6LamHTvGf8x+Fjqi6P2jxUBZ7GBp0AQ@mail.gmail.com>
 <56D895EA.1060301@mellanox.com>
 <CALCETrUrc_LJyLJLHefSDYagCrNqqzKuknr6uLgVXnPW8PmZKw@mail.gmail.com>
 <56DDE9C9.5060900@mellanox.com>
 <CALCETrUrP+gZsDLChMi5ZbT-TkD4gXvMZQt+iun2EYHipcuxHQ@mail.gmail.com>
 <56DF38BA.9030007@mellanox.com>
 <CALCETrVfKRZKV0ZQQn_ca0T7Ts5a6h2+4GEyoEFh31JOyg4XQw@mail.gmail.com>
 <56E09031.8050007@mellanox.com>
 <CALCETrWz9yyRL4XENS7xDCBdo8NiEyi2OpX2uiKPAOWdkM4xFw@mail.gmail.com>
CC: Kees Cook <keescook@chromium.org>, Thomas Gleixner <tglx@linutronix.de>,
        Christoph Lameter <cl@linux.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Viresh Kumar <viresh.kumar@linaro.org>, Ingo Molnar <mingo@kernel.org>,
        Steven Rostedt <rostedt@goodmis.org>, Tejun Heo <tj@kernel.org>,
        "Gilad Ben Yossef" <giladb@ezchip.com>,
        Will Deacon <will.deacon@arm.com>, Rik van Riel <riel@redhat.com>,
        Frederic Weisbecker <fweisbec@gmail.com>,
        "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        X86 ML <x86@kernel.org>, "H. Peter Anvin" <hpa@zytor.com>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Peter Zijlstra <peterz@infradead.org>
From: Chris Metcalf <cmetcalf@mellanox.com>
Message-ID: <56E091F5.6090509@mellanox.com>
Date: Wed, 9 Mar 2016 16:13:25 -0500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <CALCETrWz9yyRL4XENS7xDCBdo8NiEyi2OpX2uiKPAOWdkM4xFw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [173.76.23.146]
X-ClientProxiedBy: BLUPR11CA0051.namprd11.prod.outlook.com (10.141.30.19) To
 AM4PR05MB1684.eurprd05.prod.outlook.com (25.165.246.7)
X-Microsoft-Exchange-Diagnostics: 1;AM4PR05MB1684;2:NrMyik2txVmjMDHadCccxxHz7JbBggKEkdeibhdhai3773B+hZuYfLwF4G34L+LTHekrluMc9PAmcjH+s3fvD5u8ui/RnT5XYKtMA+noLXi4gOCEzTOCvvTquTUmpl24/ZsRrwS+eEEe+SfWX53CuQ==;3:7HQNSGZbqWz9thwxBCD7BP4Szy0bmEUxttga0ukphDB5p8J8TySlIUSVdfzF0AJ4w+MzT2CDPmSHRZzFCgJq/4IbX8rXIhREgvgnJHOR/nAgD1JRaXnomjzdAnzIkRuz;25:6KCqU7pYME4ko9OcVqhzWT+R8OH9rYcgub6mbpXFHir8yfNMNzOlMpD2Tg++i7pZb/qvNIY5myjQ2RrducD0G1GPPXBZZ4iZmuzigC2Bju+bWyKB+v0LXcUirgiyuXF8aYQ7St75jCrWh4anM6Src7YEJXZZIVJX7llPdSUDyPxnkPYhD8NcsRwSLpYJV1JnNvLg/JSsJAZ0nTY+9GED2bpeph9nJ9zLfgX9M5QWtI8MtyvNuNKHw0g9PWg366NzwbmnYA3isy7eLYR0bnZ6EWKzHkpJ9on2DjgbQUmApwNw8LufIaOKyZFWFrpKDCRnaKoVne4Oe2CpzrF8mM0MDA==
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:AM4PR05MB1684;
X-MS-Office365-Filtering-Correlation-Id: bbdbbd32-3862-4dd3-c06a-08d3485faf40
X-Microsoft-Exchange-Diagnostics: 1;AM4PR05MB1684;20:qZLJA8pYJ525ZNoQHtGwORXmSJXh5gtnDNFgkyj6k+B8B47kWdrQ/QPzxlv8VcM/+gq2R2HAvr2+Qajz8hJKpgWLGALzWkcVmQRMKsyenciW0slMzeELL3pHI/YGbYKytnRgc3+EWNNe6xj1+159rLOBKHJeuhmSafPoKWhQuASFNkEg6J+rVHKgszozjbhepAOmPhPQy/SH485eEbYPH/xG97pADOgnwRYd6o1ULJgI6MIysJYQrZ3Fg7dgHWRJDFZl+36wTHW7LWtlDg8L2qm9tB7goGh8T+alWnQpG+mUw+gS3YypblHIYnYZMcNxLp+0aiixU1Z+s5uV1+kd83TmyJQECxN+Iz3MCXSHsd9x2ZJK/vHJD2WukxK4047o6L1xYaVCH9Rk3pZFOVBq71Iavrwbw4gSAlzkHa+/RrRXWXXYIUtFUKrAa77NTn5NXTuvh62b0mf9RmY/9oezn4EUjOd4fH/BvCecKHMW/KYSbh8PnRuD5zP926JufZd3;4:JAv9TkOhfCvlz0GL6FlL7VXyQIrpsq/OlTKRWsz+WCPUGT7KNRmi+pJuONGGSh8zXK7yc/UEJa0ITuXcyNz4JmEOF5HYKvM9trRvgPd6avu9/gd5rzWXz/mWllvbt5OhsdyGWu9FwsXXCrZ+7bCw5pKbhWNRnXn6BlI2jhA3ycleF3MU1ULD5kYHEhguwUkkmOGv4n+fVstm+eepbD3fzhvGlsDWmsJ/g7x1YLmCRvLna0DFpF6nMPkb5oecJpMzEkbBTLoLXh3cMeXD40JCfwA/nSW8YVmWv3LV2KtZRmXcoeoqOcgSh7/tdO38FHKrhlvg6V89xaAvcFaj/Y31Rm8Ak4kqG3/INqCA765QDCmSbYlh/EIWNgjsbcZ1vPtD
X-Microsoft-Antispam-PRVS: <AM4PR05MB168459D1F848FB79BDA9763DB2B30@AM4PR05MB1684.eurprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001);SRVR:AM4PR05MB1684;BCL:0;PCL:0;RULEID:;SRVR:AM4PR05MB1684;
X-Forefront-PRVS: 0876988AF0
X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10009020)(4630300001)(6049001)(6009001)(479174004)(24454002)(377454003)(65956001)(77096005)(2906002)(23676002)(47776003)(86362001)(117156001)(15975445007)(59896002)(65806001)(42186005)(5004730100002)(3846002)(586003)(19580405001)(33656002)(93886004)(5008740100001)(6116002)(83506001)(36756003)(66066001)(65816999)(92566002)(64126003)(189998001)(2950100001)(110136002)(19580395003)(4326007)(80316001)(50466002)(1096002)(81166005)(230700001)(54356999)(76176999)(50986999)(87266999)(18886065003);DIR:OUT;SFP:1101;SCL:1;SRVR:AM4PR05MB1684;H:[192.168.1.158];FPR:;SPF:None;MLV:sfv;LANG:en;
X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtBTTRQUjA1TUIxNjg0OzIzOno2ZVVOVUVVN3puYVZZSURtVHhBNk9YM05k?=
 =?utf-8?B?Z2I0aTlYYlc1VW9SdVh5Z1p4Y2RFMTdaYVBiTHNucXdwZmkxNmZuTXd3OFVB?=
 =?utf-8?B?MjBLcFFUYVVKeWtDSm4xTUdINWw0VmY1NTBGZ0JJWDlXNW9YeFBSMkJhb2h2?=
 =?utf-8?B?S2tVaXNBcjdUU1pRUCtaV2xqL2loOTNLSkpsV1dtdnRDMUdXTisxQjUwNmJn?=
 =?utf-8?B?R2lzRlFseGFkcHUxaGIxVExqOHhZZE5haWh6VGxYRFoySDBhRnNaRGgvWDdO?=
 =?utf-8?B?YUUxYnBWdW1rZGVNV2Y2bms5U0VtTmxiaThnWlVLK2ZDVmdCb2kyY2QwVFFC?=
 =?utf-8?B?TWlWa1paQ1NPZWpza3g4cXYvR09sNUFwZXJzQW9TMG1xR2J5SlpMMERWZE5O?=
 =?utf-8?B?cXkxYnpIbmVvaWsxb0ZqUGJxU2xMajBTOUdKUGRTelNwbmNzRWNwSkZjR2VJ?=
 =?utf-8?B?a1lQUk00bHcrRmEwWS9RTTY5Tmo2SHR0OGdrc2FqdEhaMjMyMXl4Z21EUWxU?=
 =?utf-8?B?SDJycE85WGp6RFRkanNaQk85bUJ5anM0VCs5QVo2a2NYUkJlNDdMb1ZGTGxp?=
 =?utf-8?B?NWcyVEhUU1FaenBoRGxDL05GeUNCSTU5ZjlxdzhGb2xlQWNyQldQWVF3SFpV?=
 =?utf-8?B?eHJHRkxmUEMzQTdXSmFJdU9lYWtzNHUyRlNpMnhsREhmMEdwdU9tMEVQSU85?=
 =?utf-8?B?TUQybnl1bk5mZzMvcWlHZzlzSTRRYWxkV0RmOUJXN1pSRFo3Mk9lcEJoRyt3?=
 =?utf-8?B?cU5Rd3k2dVRDdTdnTFpQc3lYS2F4OXpBemNLRW5vRCtvaDc2Y1VDcE1GcEFk?=
 =?utf-8?B?emZ3RklUam9WaGZMRXdQa2xYN0Zwa3I5K2JYSnE0Wk1uTHQxQ3c5Z2c0ZDA2?=
 =?utf-8?B?N0Y5TS9ISURvcGI0dC90Y29OQ0dialVWMEJ3NjFuQTZhbFdUbXFWWktGOXBO?=
 =?utf-8?B?bkxZWUlhRndZY3I0VWsyNTF6QTAxWE9kbVJSNjl3TjdHanpzUDlEUUVpYUxC?=
 =?utf-8?B?WUw4SVcyUjJWNnF5cnNnUXd2YVI1N2l0ZTl5SkwrSC9mSjVnY091VlRsQ1Mr?=
 =?utf-8?B?Vm5UT2NFSHFyeUp2MjA3OUVZbmFFY1RDc3I2aTJFMlViM1BWTHFyeUExQ0Vw?=
 =?utf-8?B?ZG93WWZwdHZjODBNVFVCZXdWT29LcTc2SG5pRGdzanA3S3dJMzkxVVl4N1Vp?=
 =?utf-8?B?aDFvZDlWT0wyY2NyeU9UWWZvUkt5U1Nxc0paR1R2NlZ1QnBFaCsxWUJGUm9q?=
 =?utf-8?B?dG9PNFBqamYvOXdnNnZLb0o0UDZTL21tQWNSSVhXek9Wd1UvcDU3RW9TaC9s?=
 =?utf-8?B?R1RxUE9rMmJiODJtVi96c3NxZ2pIL1QyMm9NRXFJRnVjY2xLL1BDWlB4WG1T?=
 =?utf-8?B?UCtyRGhaZXJteHVyek1mK3FtUTd6d1dGdGRBZUh0K1FwWkhrUzNINVFqd0xE?=
 =?utf-8?B?bitWUlFlU3p4czFnVy9Gc1JrRnM1aHNhcFdaYXZMOWJhZlNRYUlxZlhYS0ZS?=
 =?utf-8?B?U3NJWHpISlYyc2VuVU5nOGpUbE9LZlBMZGRqSllMemo3bVljYnBab1pBM3k5?=
 =?utf-8?B?eTZTT0Uzc1YxY3NrWCtoSXpRQ2dJNzNsd2MyODNRcm5Vek1zVGJsOUw1d1h1?=
 =?utf-8?Q?zhC+Dzq7nPjK1Xc9gphP?=
X-Microsoft-Exchange-Diagnostics: 1;AM4PR05MB1684;5:4P1UE0ETme0LhzDaZPLg0z9ZMLbl+kNZe9hgoxeg8nvuEKcClhfGMt9lzRef4AGR1CatphroTdGsol61fR/SsfuqKiqkNMy+zNuvYCD1e1b8ECwzdB/chTROsrzstkL8ApnvQ9L/RpBlJaIrnnEkcQ==;24:g0Z3L52Uk3AiBbMMwwnD4crhp2NvQx7G0Upz2JEV+qWw4WyBj3SeU7KvKMtRgQ40UeYcit765ow45KabsRyDLZqFHZNCeHi2ajlj5VC7jE4=
X-OriginatorOrg: Mellanox.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Mar 2016 21:13:35.7938
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR05MB1684
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1859
Lines: 37

On 3/9/2016 4:07 PM, Andy Lutomirski wrote:
> On Wed, Mar 9, 2016 at 1:05 PM, Chris Metcalf <cmetcalf@mellanox.com> wrote:
>> On 3/9/2016 3:58 PM, Andy Lutomirski wrote:
>>>> My preference would be not to have to require all task-isolation users
>>>>> to also figure out all the complexities of creating BPF programs, so
>>>>> my intention is to have task isolation automatically generate a BPF
>>>>> program (just allowing prctl/exit/exit_group and failing everything
>>>>> else with SIGSYS).  To support having it work this way, I open up
>>>>> the seccomp stuff a little so that kernel clients can effectively
>>>>> push/pop a BPF program into seccomp:
>>> That sounds like a great use case for the new libtaskisolation that
>>> someone is surely writing:)
>>
>> Happily, task isolation is so simple an API that all that is needed is a
>> prctl().
>>
>> ... Unless somehow a requirement to inflict a huge blob of eBPF into the
>> kernel just to use task isolation safely is added, of course :-)
> BPF, not eBPF.  Also, it's a tiny blob.
>
> And this still has nothing to do with using it safely.  This has to do
> with catching your own bugs.

Fair enough, I suppose.  But I was exaggerating for effect: I still think that
this is something that can be easily hidden under the prctl() to avoid adding
a noticeable burden on users who want to be able to catch bugs.  (And
those bugs can come from third-party libraries in complex code; the amount
of code in a task-isolation driver is not always easily audited, so having this
kind of a backstop can be pretty useful.)

If you think the basic direction of the previous patch is sound, I'll spin
up the code that hooks it into task isolation, and we can see more directly
whether the tradeoff of a bit more code in the kernel seems worth it.

-- 
Chris Metcalf, Mellanox Technologies
http://www.mellanox.com