Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751807AbeAEMNB (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Fri, 5 Jan 2018 07:13:01 -0500
Received: from www.llwyncelyn.cymru ([82.70.14.225]:50314 "EHLO fuzix.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751775AbeAEMNA (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 5 Jan 2018 07:13:00 -0500
Date: Fri, 5 Jan 2018 12:12:41 +0000
From: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Jon Masters <jcm@redhat.com>,
        "Woodhouse, David" <dwmw@amazon.co.uk>,
        Paolo Bonzini <pbonzini@redhat.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Andi Kleen <andi@firstfloor.org>,
        Greg Kroah-Hartman <gregkh@linux-foundation.org>,
        Tim Chen <tim.c.chen@linux.intel.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Dave Hansen <dave.hansen@intel.com>, Jeff Law <law@redhat.com>,
        Nick Clifton <nickc@redhat.com>
Subject: Re: Avoid speculative indirect calls in kernel
Message-ID: <20180105121241.497742f7@alans-desktop>
In-Reply-To: <alpine.DEB.2.20.1801050153290.2127@nanos>
References: <20180103230934.15788-1-andi@firstfloor.org>
        <CA+55aFzCocoK+4kxAUEhaxxba4RTv3ewBmhiZ8Osc9iDkBtCEQ@mail.gmail.com>
        <e64025e6-9c4f-703d-cb69-29eeb9cc16bd@redhat.com>
        <20180104015920.1ad7b9d3@alans-desktop>
        <e3a0fa73-1328-aa42-13ea-c670c8d4ac87@redhat.com>
        <1515054014.12987.75.camel@amazon.co.uk>
        <403e65be-cfd1-fd08-0401-2e26470b63d4@redhat.com>
        <4dde456c-fd15-e768-8876-5844c8b7c455@redhat.com>
        <alpine.DEB.2.20.1801050153290.2127@nanos>
Organization: Intel Corporation
X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.31; x86_64-redhat-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

On Fri, 5 Jan 2018 01:54:13 +0100 (CET)
Thomas Gleixner <tglx@linutronix.de> wrote:

> On Thu, 4 Jan 2018, Jon Masters wrote:
> > P.S. I've an internal document where I've been tracking "nice to haves"
> > for later, and one of them is whether it makes sense to tag binaries as
> > "trusted" (e.g. extended attribute, label, whatever). It was something I
> > wanted to bring up at some point as potentially worth considering.  
> 
> Scratch that. There is no such thing as a trusted binary.

There is if you are using signing and the like. I'm sure SELiux and
friends will grow the ability to set per process policy but that's
certainly not a priority.

However the question is wrong. 'trusted' is a binary operator not a unary
one.

The question that matters is

	If I am executing A and about to switch to B does B trust A

because if B trusts A (which in Linuxspeak is 'can A ptrace B') then
there's not much point worrying about protection between them because what
you are trying to prevent is already expressly permitted.

It's even more important if there is a cost to the barrier imposition
because not only can you skip it sometimes but your scheduler can
schedule considering that cost just as it does cache eviction costs.

Alan