Received: by 10.223.176.46 with SMTP id f43csp909313wra; Wed, 24 Jan 2018 07:44:23 -0800 (PST) X-Google-Smtp-Source: AH8x226OjvnZlrnc4em+HnLo/9AVCDqtUveS3LjtbfzqDdFKhg8Y4qTXG0I+bpsMseDzLClIvZ7h X-Received: by 10.99.126.86 with SMTP id o22mr11263133pgn.364.1516808663853; Wed, 24 Jan 2018 07:44:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516808663; cv=none; d=google.com; s=arc-20160816; b=kyOhFBY+U20L6cd50vh7c6BieDrV276yDK/VyuK0TwOddlspfic83JZvDCJyDHxy7/ /nnP1VLDB1zL6/1rCwMqKnLY65qzZkiJYm7jejZ5NC07ClD6xnwe1HvN8CI41ZuRLXbl P3HN7e7i/YmBoddDFO4251AMgonsr9ejVyD2LBPidBVHCE+SOub4UpxYvJvZR+mLbPDE 59o/s+8QVVFHt02S2MmlRdAYQTAix3XC7gOZgvZgJMpq7sKZ7p1zgWTpe3i57yNbSomT lyJoIU4VYcn8IANzBELxM9CmnPj6vJ2Mx7OY310vUlpa9RuybijYlVweTHjGjrUTZShT WiDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date:arc-authentication-results; bh=V0iCKHIGVHBrs4mEh9h3jV8b/pXeSNkJsOzkzTDWW8Q=; b=aIgGhRwMsxjCNnFnJTIHxDpLtaKV51eeXt3T0yiiuNYg3ajpvXsUlGaFYpkeRgNBYT naDBWjEfa7GafPKGVzStKw85dUfT/9YlGcfx+bfhdzx2fhvHbe2pdz09NqT8iWqyqwlM U9WpS3Wigx8eODq7VUGxhJ7uJv+L9IUQCSfT18QCSr8s4Ja32jZlUIN9Xf+tONtlhdRQ hbqZmwsccXHfVo9Mqt/5M9dq+1TkmqG2vFNgP4zb5I7XnxbkAuHxxlsFlVJuHz+cnjTa GajB5WteNCjJeTknSRuJ1sbB8zmDg0r9+ChpQCBAEQayQ7euqKlpN01rRmB6HEXpyZoq UKmA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b61-v6si365888plb.709.2018.01.24.07.44.09; Wed, 24 Jan 2018 07:44:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934168AbeAXPnn (ORCPT + 99 others); Wed, 24 Jan 2018 10:43:43 -0500 Received: from www.llwyncelyn.cymru ([82.70.14.225]:35356 "EHLO fuzix.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933953AbeAXPnl (ORCPT ); Wed, 24 Jan 2018 10:43:41 -0500 Received: from alans-desktop (82-70-14-226.dsl.in-addr.zen.co.uk [82.70.14.226]) by fuzix.org (8.15.2/8.15.2) with ESMTP id w0OFgsBW008688; Wed, 24 Jan 2018 15:42:54 GMT Date: Wed, 24 Jan 2018 15:42:54 +0000 From: Alan Cox To: Dominik Brodowski Cc: Martin Schwidefsky , linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org, kvm@vger.kernel.org, Heiko Carstens , Christian Borntraeger , Paolo Bonzini , Cornelia Huck , David Hildenbrand , Greg Kroah-Hartman , Jon Masters , Marcus Meissner , Jiri Kosina , w@1wt.eu, keescook@chromium.org, thomas.lendacky@amd.com, dwmw@amazon.co.uk, ak@linux.intel.com, pavel@ucw.cz Subject: Re: Avoiding information leaks between users and between processes by default? [Was: : [PATCH 1/5] prctl: add PR_ISOLATE_BP process control] Message-ID: <20180124154254.318ddde4@alans-desktop> In-Reply-To: <20180124083705.GA14868@light.dominikbrodowski.net> References: <1516712825-2917-1-git-send-email-schwidefsky@de.ibm.com> <1516712825-2917-2-git-send-email-schwidefsky@de.ibm.com> <20180123170719.GA4154@isilmar-4.linta.de> <20180124072953.50851fec@mschwideX1> <20180124083705.GA14868@light.dominikbrodowski.net> Organization: Intel Corporation X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.31; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 24 Jan 2018 09:37:05 +0100 > To my understanding, Linux traditionally tried to aim for the security goal > of avoiding information leaks *between* users[+], probably even between > processes of the same user. It wasn't a guarantee, and there always were Not between processes of the same user in general (see ptrace or use gdb). > (and will be) information leaks -- and that is where additional safeguards > such as seccomp come into play, which reduce the attack surface against seccomp is irrelevant on many processors (see the Armageddon paper). You can (given willing partners) transfer data into and out of a seccomp process at quite a respectable rate depending upon your hardware features. > I am a bit worried whether this is a sign for a shift in the security goals. > I fully understand that there might be processes (e.g. some[?] kernel > threads) and users (root) which you need to trust anyway, as they can dumpable is actually very useful but only in a specific way. The question if process A is dumpable by process B then there is no meaningful protection between them and you don't need to do any work. Likewise if A and B can dump each other and are both running on the same ht pair you don't have to worry about them attacking one another. In all those cases they can do it with ptrace already. [There's a corner case here of using BPF filters to block ptrace] Alan