Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2864888imm; Tue, 4 Sep 2018 11:12:21 -0700 (PDT) X-Google-Smtp-Source: ANB0Vda/wg3F/h7oM9zea5OOoHHW5BhlveuD1v8eX6QLUYcVG4wtmvpBx4teu9mB/vPJwQMauNmP X-Received: by 2002:a62:2285:: with SMTP id p5-v6mr36199441pfj.53.1536084741031; Tue, 04 Sep 2018 11:12:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536084741; cv=none; d=google.com; s=arc-20160816; b=ojVU9HrqyS4EQYZ5TrrFYDMWhvQIZUhYPu5kPUa3OV8+L2gl3YgioeCmG+aQ+NVV7+ kOuHSv/Yu2IDM6PkZe4k4MRelWxMYu8QOx0f8x1X/51qS+kdwPmiMnwgOPY8BdsFt4xm go9ptL8HaXUWu7tlJYYqkuET9HnhFatSH6IhSKv1gQUSjE0CzKaBaFb2p4TelMOzmE/w 46ZssqrK7Cj5YJ7RrUO+RHs+3H+ocw8UUldy5ld2E03gsiy5wWar4nmJPj/aH9urCL4y glUHENBndwpfSF/XMLVMlEhBCd/hvmAOH7FrX4VA9NrEYw46vNIuvnm/k60jzIZxuzR7 DGxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :dlp-reaction:dlp-version:dlp-product:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:arc-authentication-results; bh=L2KUEJy6Lzb9J9snn5n5/j5h24P5ShwFv1W+6E1RTLw=; b=ghlwCRWuElkKtFLTKMSR8Kafm3ZjUVMHkz7FhO3w3+7w7BrzNskCpiaUcaMw+EwCg+ OdgIpNwwHM7rW7LMpq7dF0RYGdPcxWrpbvJyVcw2FMbmNghuhl4q7QkXpm2pY/0XyTPb 77pWyzEjIg/zM0isfAZ7UGk/ZbjJOry3nbrDfDv6/dhelF1L8uaHRA0CQM3RUOuB+1xN tF/NBySpwJYQoxaoKbIuk8ngqbUbQt/8/Jtgpsksxw1OHcHpr2FuyPtsQRb05cmYhNug r+aIFxmCoc3I+YEgU4YF9k9Iqs/fw3sqnx7ssjOxru0x71p2PWKEDVTZA62kSmGXcEsw Kg+Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u69-v6si19733064pgd.547.2018.09.04.11.12.04; Tue, 04 Sep 2018 11:12:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727431AbeIDWhD convert rfc822-to-8bit (ORCPT + 99 others); Tue, 4 Sep 2018 18:37:03 -0400 Received: from mga18.intel.com ([134.134.136.126]:41057 "EHLO mga18.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726304AbeIDWhD (ORCPT ); Tue, 4 Sep 2018 18:37:03 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 04 Sep 2018 11:10:49 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.53,330,1531810800"; d="scan'208";a="77929420" Received: from orsmsx103.amr.corp.intel.com ([10.22.225.130]) by FMSMGA003.fm.intel.com with ESMTP; 04 Sep 2018 11:10:48 -0700 Received: from orsmsx151.amr.corp.intel.com (10.22.226.38) by ORSMSX103.amr.corp.intel.com (10.22.225.130) with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 4 Sep 2018 11:10:48 -0700 Received: from orsmsx107.amr.corp.intel.com ([169.254.1.245]) by ORSMSX151.amr.corp.intel.com ([169.254.7.211]) with mapi id 14.03.0319.002; Tue, 4 Sep 2018 11:10:48 -0700 From: "Schaufler, Casey" To: Jiri Kosina , Tim Chen CC: Thomas Gleixner , Ingo Molnar , Peter Zijlstra , Josh Poimboeuf , Andrea Arcangeli , "Woodhouse, David" , Oleg Nesterov , "linux-kernel@vger.kernel.org" , "x86@kernel.org" , "Schaufler, Casey" Subject: RE: [PATCH v3 1/3] ptrace: Provide ___ptrace_may_access() that can be applied on arbitrary tasks Thread-Topic: [PATCH v3 1/3] ptrace: Provide ___ptrace_may_access() that can be applied on arbitrary tasks Thread-Index: AQHURHR5V11JrRcNJkuXhYQimpS2TqTg18iA//+QVJA= Date: Tue, 4 Sep 2018 18:10:47 +0000 Message-ID: <99FC4B6EFCEFD44486C35F4C281DC67321447094@ORSMSX107.amr.corp.intel.com> References: <31436186-88da-324e-88a0-8fdca7bf60ac@linux.intel.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiZWZhNDQ2YzAtYzZhOC00NDA4LThhYjMtYWJmNDcwYjBmNDI3IiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiY3BHV3V3akVrVzQ4YXh6XC9haSt2MWlWM2MxdVAwSmZsWXhpMG1VMkNiMW91MHVIY2JVUUZxRkt5RytXVTVHMTAifQ== x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.400.15 dlp-reaction: no-action x-originating-ip: [10.22.254.138] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > -----Original Message----- > From: Jiri Kosina [mailto:jikos@kernel.org] > Sent: Tuesday, September 04, 2018 10:35 AM > To: Tim Chen > Cc: Thomas Gleixner ; Ingo Molnar ; > Peter Zijlstra ; Josh Poimboeuf > ; Andrea Arcangeli ; > Woodhouse, David ; Oleg Nesterov > ; Schaufler, Casey ; linux- > kernel@vger.kernel.org; x86@kernel.org > Subject: Re: [PATCH v3 1/3] ptrace: Provide ___ptrace_may_access() that can > be applied on arbitrary tasks > > On Tue, 4 Sep 2018, Tim Chen wrote: > > > > Current ptrace_may_access() implementation assumes that the 'source' > task is > > > always the caller (current). > > > > > > Expose ___ptrace_may_access() that can be used to apply the check on > arbitrary > > > tasks. > > > > Casey recently has proposed putting the decision making of whether to > > do IBPB in the security module. > > > > https://lwn.net/ml/kernel-hardening/20180815235355.14908-4- > casey.schaufler@intel.com/ > > > > That will have the advantage of giving the administrator a more flexibility > > of when to turn on IBPB. The policy is very similar to what you have proposed > here > > but I think the security module is a more appropriate place for the security > policy. > > Yeah, well, honestly, I have a bit hard time buying the "generic > sidechannel prevention security module" idea, given how completely > different in nature all the mitigations have been so far. I don't see that > trying to abstract this somehow provides more clarity. The real reason to use an LSM based approach is that overloading ptrace checks is a Really Bad Idea. Ptrace is a user interface. Side-channel is a processor interface. Even if ptrace_may_access() does exactly what you want it to for side-channel mitigation today it would be incredibly inappropriate to tie the two together for eternity. You don't want to restrict the ptrace checks to only those things that are also good for side-channel, and vice versa. > So if this should be done in LSM, it'd probably have to be written by > someone else than me :) who actually understands how the "sidechannel LSM" > idea works. Yes. That would be me. > > Thanks, > > -- > Jiri Kosina > SUSE Labs