Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp3255520imm; Mon, 10 Sep 2018 13:42:49 -0700 (PDT) X-Google-Smtp-Source: ANB0VdZN4ijIk4yO6pcfve3HJQNyxim5zaPGg/0XNXxL6dX6Gpy9nI9BFsD2m/NoQ2twdW7eDiLF X-Received: by 2002:a17:902:7d87:: with SMTP id a7-v6mr24227807plm.103.1536612169573; Mon, 10 Sep 2018 13:42:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536612169; cv=none; d=google.com; s=arc-20160816; b=QmQT4sZ7hawNTuhm2lozZwEm5274t4LUytXOVvp5QBVlCutqOIQ7M5ztRIgBKPYE9f zj8deO4rcTZSG6Cj7Hmnj4VWREj7ehqblgYxwrifwri0QPX3PahNdM0qwCLC8DiwwbVe pGDOHpcXzvMgUbkMh6LCdzYx8PIQagIZpplkTpdvJ8qXsubBKJx8JgWcag0Q1ZiwrQnQ T9j5vFB5Ayytlsh4u165xe4HCyprbRpSA5JvV8CWjtoa9l4M9xTHS+MDiS0kP/Pwbav1 MFgB9z7CixU99ABW2CTHp/3Aji5dFPUrx7Mm/JW/+G+MRTIjTyq6rNSgsJK7WBTgK7Yo wbWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=j8QZLsQCppvefp0+yYIm2jhiiMFWBKDDmiMOcSxWrc4=; b=xaUhECQGX64YKQkOB2eIPKGMqVJhDeV5TiE4d18aL6kBUS3qdE83lsJeLEeN8QvD59 pn2xci89Qi2mwg4Jxqdf66qGySqJjDYUXc1Am914NGmLtoxRAhlTiihkG174Pbj4TQrC RT/tHJFWRDuPxxvcolLbx/3DBjfU2VeAQXcmZKaDk0g1+Itb4N/GOb+5wIasuaqgDmE9 8RgheJPEQbXLqX6uo5qDkuGlgis7eTofkWe6S0QCYXaR6DZygpKy8x7W9onVUO2102fN 19ZB0ioojLJOPUDedn17z2Mqc1RvxFYPEc4nk9dc7vkFX9mnsdZ3Uvs8Zyqy3iN/rx7s jpzA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 24-v6si19042605pgx.314.2018.09.10.13.42.32; Mon, 10 Sep 2018 13:42:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726740AbeIKBiQ (ORCPT + 99 others); Mon, 10 Sep 2018 21:38:16 -0400 Received: from mx2.suse.de ([195.135.220.15]:48676 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726043AbeIKBiQ (ORCPT ); Mon, 10 Sep 2018 21:38:16 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id A00C9ADCD; Mon, 10 Sep 2018 20:42:23 +0000 (UTC) Date: Mon, 10 Sep 2018 22:42:21 +0200 (CEST) From: Jiri Kosina To: "Schaufler, Casey" cc: Thomas Gleixner , Ingo Molnar , Peter Zijlstra , Josh Poimboeuf , Andrea Arcangeli , "Woodhouse, David" , Andi Kleen , Tim Chen , "linux-kernel@vger.kernel.org" , "x86@kernel.org" Subject: RE: [PATCH v5 1/2] x86/speculation: apply IBPB more strictly to avoid cross-process data leak In-Reply-To: <99FC4B6EFCEFD44486C35F4C281DC6732144AF24@ORSMSX107.amr.corp.intel.com> Message-ID: References: <99FC4B6EFCEFD44486C35F4C281DC6732144ADF9@ORSMSX107.amr.corp.intel.com> <99FC4B6EFCEFD44486C35F4C281DC6732144AEC9@ORSMSX107.amr.corp.intel.com> <99FC4B6EFCEFD44486C35F4C281DC6732144AF24@ORSMSX107.amr.corp.intel.com> User-Agent: Alpine 2.21 (LSU 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 10 Sep 2018, Schaufler, Casey wrote: > It you're going to call __ptrace_access_check(), I guess you mean __ptrace_may_access() here. > which already includes an LSM hook, it makes a whole lot of sense to > make that the path for doing any module specific checks. It seems wrong > to disable the LSM hook there, then turn around and introduce a new one > that does the check you just disabled. The patches I had proposed > created a new LSM hook because there was not path to an existing hook. > With your addition of __ptrace_access_check() that is no longer an issue > once any locking problems are resolved. Rather than use a new hook, the > existing ptrace hooks ought to work just fine, and any new checks can be > added in a new module that has its own ptrace_access_check hook. Sorry for being dense, but what exactly are you proposing here then? This patch (v4 and v5) explicitly avoids calling out to ptrace_has_cap() (which calls out to LSM through has_ns_capability_*() -> security_capable()) in PTRACE_MODE_IBPB case, exactly to avoid locking issues with security modules; there are known callchains that lead to deadlock. With the same reasoning, security_ptrace_access_check() call is avoided, only there is no know particular callchain that'd lead to a lock being taken, but noone has done such audit (yet), as it's all hidden behind LSM callbacks. So please tell me what exactly you'd like to see changed in the IBPB patch and why exactly, I am not seeing it yet. Thanks, -- Jiri Kosina SUSE Labs