Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S965696AbeAKTdO (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Thu, 11 Jan 2018 14:33:14 -0500
Received: from mail-pf0-f194.google.com ([209.85.192.194]:37248 "EHLO
        mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753763AbeAKTdN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 11 Jan 2018 14:33:13 -0500
X-Google-Smtp-Source: ACJfBov7dGpyfScj/EAL+UTbwGZt2SWd6sWerFY6aTiO6dEyQ3Xv75sZBJnJ32dPZqV2qfi3UXhTeQ==
Content-Type: text/plain;
        charset=us-ascii
Mime-Version: 1.0 (1.0)
Subject: Re: [RFC PATCH v2 6/6] x86/entry/pti: don't switch PGD on when pti_disable is set
From: Andy Lutomirski <luto@amacapital.net>
X-Mailer: iPhone Mail (15C202)
In-Reply-To: <CA+55aFwwWHM2BUVKXemPX3RXXn=TiPXu8YnRXVLB9toRwcKU1g@mail.gmail.com>
Date: Thu, 11 Jan 2018 11:33:09 -0800
Cc: Willy Tarreau <w@1wt.eu>, Andy Lutomirski <luto@kernel.org>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Peter Zijlstra <peterz@infradead.org>,
        LKML <linux-kernel@vger.kernel.org>, X86 ML <x86@kernel.org>,
        Borislav Petkov <bp@alien8.de>,
        Brian Gerst <brgerst@gmail.com>,
        Ingo Molnar <mingo@kernel.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        "H. Peter Anvin" <hpa@zytor.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Kees Cook <keescook@chromium.org>
Content-Transfer-Encoding: 8BIT
Message-Id: <50EB5B67-E441-43A6-8DD7-650A75B6ABE7@amacapital.net>
References: <1515502580-12261-1-git-send-email-w@1wt.eu> <1515502580-12261-7-git-send-email-w@1wt.eu> <20180110082207.GX29822@worktop.programming.kicks-ass.net> <20180110091102.GH14066@1wt.eu> <CALCETrXQFL2sJPJe_Z8XLEo11V_tLyZR0y4PTRxJzrhmpdsuJg@mail.gmail.com> <CA+55aFwfSKNAYEFWCwCe2vSxejA3X85FnX9t1EdnCRUwC1ou1Q@mail.gmail.com> <20180111064259.GC14920@1wt.eu> <0f08d89e-61e1-20e3-5c59-0b2f7b32bf0c@linux.intel.com> <20180111154412.GA15296@1wt.eu> <CALCETrVcQg_1opnvOP4ksOAC07K4O_LTSxy2czwtObwR3YL+-w@mail.gmail.com> <20180111174025.GB15344@1wt.eu> <CA+55aFzOAAJ+WwA6BGAqW_h-r3_dYNpvgsmHcbpugwu4emcS6g@mail.gmail.com> <CA+55aFwwWHM2BUVKXemPX3RXXn=TiPXu8YnRXVLB9toRwcKU1g@mail.gmail.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>



> On Jan 11, 2018, at 10:26 AM, Linus Torvalds <torvalds@linux-foundation.org> wrote:
> 
> On Thu, Jan 11, 2018 at 10:25 AM, Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
>> 
>> The other case may be the CLONE_NEW* operations. I *think* they are
>> noops as far as PTI settings would be, but I think people should think
>> about them.
> 
> Oh, and yes, I think the npti flag should also break ptrace(). I do
> agree with Andy that it's a "capability", although I do not think it
> should actually be implemented as one.

For all that Linux capabilities are crap, nopti walks like one and quacks like one.  It needs to affect ptrace() permissions, it needs a way to disable it systemwide, it needs LSM integration, etc.  Using CAP_DISABLE_PTI gives us all of this without tons of churn, auditing, and a whole new configuration thingy for each LSM.  And I avoids permanently polluting ptrace checks, the LSM interface, etc for what is, essentially, a performance hack to work around a blatant error in the design of some CPUs.

Plus, with ambient caps, we already did the nasty part of the with and finished all the relevant bikeshedding.

So I'd rather just hold my nose and add the new capability bit.