Received: by 10.223.176.5 with SMTP id f5csp2858264wra; Mon, 29 Jan 2018 05:15:33 -0800 (PST) X-Google-Smtp-Source: AH8x225ln4ytmEM14rDko696fVCeqT3j02jdMj+INL15BvouY6vO0lSGy/Ev/e2UQi5Fpk7eCVIs X-Received: by 10.99.149.67 with SMTP id t3mr21739137pgn.411.1517231733728; Mon, 29 Jan 2018 05:15:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517231733; cv=none; d=google.com; s=arc-20160816; b=NviN8HmrHZblTjZEZKxU4Mt4R3lNTUt/qQ2vq4jBTpHUQY3KSIVNvB+zI7X+qXJRv9 AOfBVD1YT4bMmoiXaiWYIIjkF07ZvHhs2y2isaRtalJxJdTtEAmu9fcRkIpxrSmHJWIT KYqdpUg7aIKJTnx2xnad7jH5ip1bhEV3+429rFIqSPqs9B3dgXcjEYAkPY8+HfKxE3Or Ab2KkjKDipwO3jbXZ5xJ7okEPOmiOTTWf+Sd2tIo1LXan6wEsMmnz7PnzAbjfYu8yAm0 mAZuXbM2Usy0zex7E8wA3zf5rNyfeYZPQD249svyCaaU+wh4u9+mobJYGIGnkZ6mhvfF 6EdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=aRX+xve1p4hKPG3g92dHKolJmc7CX66WEnSLgDiY42A=; b=YsJ72YE19U7QcACXldEDUHJKwsN3EAZOaCqhsiEMEIrq9qemKiOkW4WOy4ZcNxvpSF HGKWwK7c7ijIuzUDu1h4yurmfM88qG/YR5ovHpRSgSHeMhtr5EWer52EQJC0cv8ar8su 2O2oNxJZVMddS35RRiZgP9cFCq5Ory6f1SvJKhK6yV93h4Iy16qHzp9/Y8GZws0zUaUt YF/f0t8RifQXwicvVxp0JeCDUeSghydB6vU62AWAJ22/ATjqVyI8osASCEAfgJAy5vga 1L9kU5gnsOkGbUruc+MHdBmdXyFcek/1gmH1JqjVMbLUvjPRwbJU2gQT/0lH7xHc8I3D sjnw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q16si11897523pfj.192.2018.01.29.05.15.19; Mon, 29 Jan 2018 05:15:33 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751976AbeA2NOv (ORCPT + 99 others); Mon, 29 Jan 2018 08:14:51 -0500 Received: from atrey.karlin.mff.cuni.cz ([195.113.26.193]:60332 "EHLO atrey.karlin.mff.cuni.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751740AbeA2NOt (ORCPT ); Mon, 29 Jan 2018 08:14:49 -0500 Received: by atrey.karlin.mff.cuni.cz (Postfix, from userid 512) id 4BB0180180; Mon, 29 Jan 2018 14:14:47 +0100 (CET) Date: Mon, 29 Jan 2018 14:14:46 +0100 From: Pavel Machek To: Alan Cox Cc: Martin Schwidefsky , Dominik Brodowski , linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org, kvm@vger.kernel.org, Heiko Carstens , Christian Borntraeger , Paolo Bonzini , Cornelia Huck , David Hildenbrand , Greg Kroah-Hartman , Jon Masters , Marcus Meissner , Jiri Kosina , w@1wt.eu, keescook@chromium.org, thomas.lendacky@amd.com, dwmw@amazon.co.uk, ak@linux.intel.com Subject: Re: Avoiding information leaks between users and between processes by default? [Was: : [PATCH 1/5] prctl: add PR_ISOLATE_BP process control] Message-ID: <20180129131446.GB4669@amd> References: <1516712825-2917-1-git-send-email-schwidefsky@de.ibm.com> <1516712825-2917-2-git-send-email-schwidefsky@de.ibm.com> <20180123170719.GA4154@isilmar-4.linta.de> <20180124072953.50851fec@mschwideX1> <20180124083705.GA14868@light.dominikbrodowski.net> <20180124111552.GA24675@amd> <20180124134803.3e11c6d6@mschwideX1> <20180124190105.GA30107@amd> <20180124204622.1f7b0de2@alans-desktop> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="KFztAG8eRSV9hGtP" Content-Disposition: inline In-Reply-To: <20180124204622.1f7b0de2@alans-desktop> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --KFztAG8eRSV9hGtP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed 2018-01-24 20:46:22, Alan Cox wrote: > > Anyway, no need to add prctl(), if A can ptrace B and B can ptrace A, > > leaking info between them should not be a big deal. You can probably > > find existing macros doing neccessary checks. >=20 > Until one of them is security managed so it shouldn't be able to ptrace > the other, or (and this is the nasty one) when a process is executing > code it wants to protect from the rest of the same process (eg an > untrusted jvm, javascript or probably nastiest of all webassembly) >=20 > We don't need a prctl for trusted/untrusted IMHO but we do eventually > need to think about API's for "this lot is me but I don't trust > it" (flatpack, docker, etc) and for what JIT engines need to do. Agreed. And yes, JITs are interesting, and given the latest rowhammer/sidechannel attacks, something we may want to limit in future... It sounds nice on paper but is just risky. Pavel --=20 (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo= g.html --KFztAG8eRSV9hGtP Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlpvHkYACgkQMOfwapXb+vLk/ACaAsmlr9eMLJNIIMjJLuk8PxK+ 1b4An3U1pEZ+etPY3/qYfQid40In7a59 =Cosk -----END PGP SIGNATURE----- --KFztAG8eRSV9hGtP--