Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp3966115imm; Wed, 5 Sep 2018 08:39:40 -0700 (PDT) X-Google-Smtp-Source: ANB0VdbPf3lC2WPoCH/94uALN0Aaosl4W60SDxu2EMLBLTt3DXNZSSfig0r0p0g4a1ClOGR0Nx7O X-Received: by 2002:a17:902:4a0c:: with SMTP id w12-v6mr39501511pld.289.1536161980121; Wed, 05 Sep 2018 08:39:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536161980; cv=none; d=google.com; s=arc-20160816; b=xsIh3mzsitXnlxlXBgywARjU/TO5cBgkhN3qjis4eF0NC9Zc8ym/2k+yKaDhOr2LEu 6n3zaCEj/3xLZvbExF+2bVMzi4wwTyIF3v0bgBL5KFpB7dxtCWJ8ACn6xc99IOJ1Zlpm urf4HeSdu5Brj1WvSqasXIzdE5dL/G89/7FJTnZnOeh/6a9VB6/oe/Y9UemgaGT+diPd yw4O6cotZj9sbgPRJYUng1X3J3PR/z0+DLJvNLOzTpt5ADIzIIflV1hZc3m1K2mCwcpl bhMjhffXHc5sKFTHB4p6uRHdQVe01QrO+GOLZx6goePzk7QN21XNUv9JztRP5Intzohe axlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :dlp-reaction:dlp-version:dlp-product:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from; bh=u/XdB1sL/nOEIMFD5LJNiWyY2Z8zHvGhPVS1bT5XWSE=; b=jtR9Ot7zwMDd+lzICmUwMQQEjZgGRn14R1pqdXgx0jFIchDSCIm4TPyTOTw1OakUS+ dS4wvNtLoByFT8HSoIA8+hpmnS54pIcumlJHr28yFuWA0zZ6gVp57z8iqyb1w+2gj8tx OBU/gSOatPw/Nwcg+YPZA6iyOyTyFr/QnErQ56k9fGfU0DJDciPAzMCZn1fMCyNy8c60 z1gxpFcdKAU1L6Y4f8qXbRREBpJ3+EkupbkjI06bDXCXeKjGnMg4bNBkMGE+4QBuatsv +dkPJN8qJMlff9mX4hSheIX+RGx47SxwkxrnCTCxtPsdV+baHcxl7eIRVrTfpxiWVBJg DN6A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q1-v6si2107923pgs.322.2018.09.05.08.39.23; Wed, 05 Sep 2018 08:39:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727623AbeIEUIh convert rfc822-to-8bit (ORCPT + 99 others); Wed, 5 Sep 2018 16:08:37 -0400 Received: from mga01.intel.com ([192.55.52.88]:52320 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726046AbeIEUIg (ORCPT ); Wed, 5 Sep 2018 16:08:36 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Sep 2018 08:37:53 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.53,334,1531810800"; d="scan'208";a="87888470" Received: from orsmsx105.amr.corp.intel.com ([10.22.225.132]) by orsmga001.jf.intel.com with ESMTP; 05 Sep 2018 08:37:39 -0700 Received: from orsmsx114.amr.corp.intel.com (10.22.240.10) by ORSMSX105.amr.corp.intel.com (10.22.225.132) with Microsoft SMTP Server (TLS) id 14.3.319.2; Wed, 5 Sep 2018 08:37:39 -0700 Received: from orsmsx107.amr.corp.intel.com ([169.254.1.245]) by ORSMSX114.amr.corp.intel.com ([169.254.8.8]) with mapi id 14.03.0319.002; Wed, 5 Sep 2018 08:37:39 -0700 From: "Schaufler, Casey" To: Peter Zijlstra , Jiri Kosina CC: Tim Chen , Thomas Gleixner , Ingo Molnar , Josh Poimboeuf , Andrea Arcangeli , "Woodhouse, David" , Oleg Nesterov , "linux-kernel@vger.kernel.org" , "x86@kernel.org" , "Schaufler, Casey" Subject: RE: [PATCH v3 1/3] ptrace: Provide ___ptrace_may_access() that can be applied on arbitrary tasks Thread-Topic: [PATCH v3 1/3] ptrace: Provide ___ptrace_may_access() that can be applied on arbitrary tasks Thread-Index: AQHURHR5V11JrRcNJkuXhYQimpS2TqTg18iAgADxpwCAAAieMA== Date: Wed, 5 Sep 2018 15:37:38 +0000 Message-ID: <99FC4B6EFCEFD44486C35F4C281DC673214476DA@ORSMSX107.amr.corp.intel.com> References: <31436186-88da-324e-88a0-8fdca7bf60ac@linux.intel.com> <20180905080024.GP24124@hirez.programming.kicks-ass.net> In-Reply-To: <20180905080024.GP24124@hirez.programming.kicks-ass.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiYWUxMDI0YzMtMzgwNC00MmE4LTk2NzgtMmRiNTVkODhiOTJlIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoieTExWGF6NllOMHFudllUcndmUHdTUXlFaDlRbTI1TlFOS2RUUmwraW9NR0R4MFwvRXJzSXVueWpOS0RPZUVYWngifQ== x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.400.15 dlp-reaction: no-action x-originating-ip: [10.22.254.138] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > -----Original Message----- > From: Peter Zijlstra [mailto:peterz@infradead.org] > Sent: Wednesday, September 05, 2018 1:00 AM > To: Jiri Kosina > Cc: Tim Chen ; Thomas Gleixner > ; Ingo Molnar ; Josh Poimboeuf > ; Andrea Arcangeli ; > Woodhouse, David ; Oleg Nesterov > ; Schaufler, Casey ; linux- > kernel@vger.kernel.org; x86@kernel.org > Subject: Re: [PATCH v3 1/3] ptrace: Provide ___ptrace_may_access() that can > be applied on arbitrary tasks > > On Tue, Sep 04, 2018 at 07:35:29PM +0200, Jiri Kosina wrote: > > On Tue, 4 Sep 2018, Tim Chen wrote: > > > > > > Current ptrace_may_access() implementation assumes that the 'source' > task is > > > > always the caller (current). > > > > > > > > Expose ___ptrace_may_access() that can be used to apply the check on > arbitrary > > > > tasks. > > > > > > Casey recently has proposed putting the decision making of whether to > > > do IBPB in the security module. > > > > > > https://lwn.net/ml/kernel-hardening/20180815235355.14908-4- > casey.schaufler@intel.com/ > > > > > > That will have the advantage of giving the administrator a more flexibility > > > of when to turn on IBPB. The policy is very similar to what you have > proposed here > > > but I think the security module is a more appropriate place for the security > policy. > > > > Yeah, well, honestly, I have a bit hard time buying the "generic > > sidechannel prevention security module" idea, given how completely > > different in nature all the mitigations have been so far. I don't see that > > trying to abstract this somehow provides more clarity. > > > > So if this should be done in LSM, it'd probably have to be written by > > someone else than me :) who actually understands how the "sidechannel > LSM" > > idea works. > > Yeah, I'm not convinced on LSM either. Lets just do these here patches > first and then Casey can try and convince us later. Works for me. There are advantages to doing it either way. The LSM approach allows you to consider implications of LSM data, which you can't do otherwise. Once the hook is available it becomes the obvious place to do other checks.