Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752888AbeAJTpI (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Wed, 10 Jan 2018 14:45:08 -0500
Received: from mail.kernel.org ([198.145.29.99]:43460 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751486AbeAJTpF (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 10 Jan 2018 14:45:05 -0500
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7661B21746
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org
Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org
X-Google-Smtp-Source: ACJfBotrz/VQmAiN26Op82+t2M9ynBTXQ1WhJYb3sqQz6uWcFYg2bN2yF9B5hfwUHfsvZid1zfuTgfhua/9sXHDWvVQ=
MIME-Version: 1.0
In-Reply-To: <20180110193921.GA14378@1wt.eu>
References: <1515502580-12261-1-git-send-email-w@1wt.eu> <1515502580-12261-7-git-send-email-w@1wt.eu>
 <20180110082207.GX29822@worktop.programming.kicks-ass.net>
 <20180110091102.GH14066@1wt.eu> <CALCETrXQFL2sJPJe_Z8XLEo11V_tLyZR0y4PTRxJzrhmpdsuJg@mail.gmail.com>
 <20180110193921.GA14378@1wt.eu>
From: Andy Lutomirski <luto@kernel.org>
Date: Wed, 10 Jan 2018 11:44:43 -0800
X-Gmail-Original-Message-ID: <CALCETrViPUR7m-+RRqudGBq+SSOstEDhgKB7=3XRmpHFfDCSoA@mail.gmail.com>
Message-ID: <CALCETrViPUR7m-+RRqudGBq+SSOstEDhgKB7=3XRmpHFfDCSoA@mail.gmail.com>
Subject: Re: [RFC PATCH v2 6/6] x86/entry/pti: don't switch PGD on when
 pti_disable is set
To: Willy Tarreau <w@1wt.eu>
Cc: Andy Lutomirski <luto@kernel.org>,
        Peter Zijlstra <peterz@infradead.org>,
        LKML <linux-kernel@vger.kernel.org>, X86 ML <x86@kernel.org>,
        Borislav Petkov <bp@alien8.de>,
        Brian Gerst <brgerst@gmail.com>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Ingo Molnar <mingo@kernel.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Kees Cook <keescook@chromium.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

On Wed, Jan 10, 2018 at 11:39 AM, Willy Tarreau <w@1wt.eu> wrote:
> Hi Andy,
>
> On Wed, Jan 10, 2018 at 11:21:15AM -0800, Andy Lutomirski wrote:
>> > If we agree on this, I'd like to propose to have two flags :
>> >
>> >   - TIF_DISABLE_PTI_NOW : disable PTI for the current task, reset by execve()
>> >   - TIF_DISABLE_PTI_NEXT : disable PTI after execve(), reset by execve()
>>
>> I really dislike state that isn't cleared on execve().  I'm assuming
>> that this is so you can run time pwn_me_without_pti whatever?
>
> Yes exactly. I've just sent a 3rd series with an example code for this.
> In fact it's not that the state is not cleared by execve(), it's that
> it's set for the next execve() which then resets it.
>
>> Surely LD_PRELOAD can do this, too?
>
> That was one of my other proposals. I really don't know if LD_PRELOAD
> fits anyone's usage for such things (static/setuid binaries, complication
> to pass variables maybe).
>
> Please take a look and tell me if you still dislike it or not.
>

Adding flags that persist across execve() of setuid stuff is IMO even
worse.  It just makes reasoning about the system's security model
really nasty.