Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1031644imm; Fri, 28 Sep 2018 10:41:34 -0700 (PDT) X-Google-Smtp-Source: ACcGV63+7RHzc7eCEXjtS/Cco6bq3vOreroeiL1nRXKcgGMplH9YK0gvGCwQy11brcYj1mSf1Y1C X-Received: by 2002:a62:be03:: with SMTP id l3-v6mr17967267pff.138.1538156494313; Fri, 28 Sep 2018 10:41:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538156494; cv=none; d=google.com; s=arc-20160816; b=qipydkakvr6lVG9Qg/XxkcPcxLPfKPBEaY65rEF1zkI6zFWs3eQerIOhdjlhfwlrMN EhHj9YNY32fwzcKk05cV3lU1ULpMMxdkLyTow1gBg8loLzcN6uyFEYyEj/MbxHiSTwx0 ZA01gUN3wHtVknECghILHdcw6LwqvQKfG0MlXQUvixeYkmbuuRDqeENqIwDYN4Ca3kJe 2jUm7H8l/wpfpyKllkD2IED2Mk/KPrA4gysCuDw4j30pSVZ1Ppb8MpL7MmhUmkFgrCz7 Y8l+eGG7QWgUFdnoVFmI+uZN0D17p5HW08d10+/auk7cXsW+BgpsI1i6oLWnu9ecAJ15 TyFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :dlp-reaction:dlp-version:dlp-product:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from; bh=xBO9//UTp38bUOQTudPpebaOOslVgnY6G0bV1wEIUY8=; b=kiJMgkOZwGC9OgB4VXNC4XzwDydnG5DfNVlmPq3nD62zroEBteORZ12g7+sb6Ap90E 6vyqsDpbbUcw1+AxJrQiBfxge6POiRjPuXDduyA1DlPVb2Cnd7FbiUd46qb8LwM/Ha35 RDg+IvC1EBzHJJkJsxXOrhOi3tewoXec4fOPHq4tzWwRkDbrucBR/SZLDWHfMiGOzXdw 0nbYZAx2ZAOxVhmS1dJRHaS5gkYLaNR7t6cVaUnGcnX1LMVEVOENBKmVqRJ8ObBOv2CQ iAA+7AX77Eq61lwDWJsl2uIB1s179blEsHmFvkrLlfk4bDNke6REeyjW64tyseFf70A3 h1pw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m185-v6si5408055pgm.206.2018.09.28.10.41.18; Fri, 28 Sep 2018 10:41:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727251AbeI2AFx convert rfc822-to-8bit (ORCPT + 99 others); Fri, 28 Sep 2018 20:05:53 -0400 Received: from mga06.intel.com ([134.134.136.31]:16593 "EHLO mga06.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726100AbeI2AFx (ORCPT ); Fri, 28 Sep 2018 20:05:53 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Sep 2018 10:41:02 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,315,1534834800"; d="scan'208";a="92981659" Received: from orsmsx105.amr.corp.intel.com ([10.22.225.132]) by fmsmga004.fm.intel.com with ESMTP; 28 Sep 2018 10:40:53 -0700 Received: from orsmsx107.amr.corp.intel.com ([169.254.1.14]) by ORSMSX105.amr.corp.intel.com ([169.254.2.136]) with mapi id 14.03.0319.002; Fri, 28 Sep 2018 10:40:53 -0700 From: "Schaufler, Casey" To: James Morris , Jann Horn CC: Casey Schaufler , "kristen@linux.intel.com" , Kernel Hardening , "Dock, Deneen T" , kernel list , "Hansen, Dave" , linux-security-module , "selinux@tycho.nsa.gov" , Arjan van de Ven Subject: RE: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel Thread-Topic: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel Thread-Index: AQHUVdhkFYvudVbH2U6ou/rRnPpFo6UFIFYAgAAPVgCAAAIMgP//kjvQgAB9doCAAAExgIABGPwA//+XhgA= Date: Fri, 28 Sep 2018 17:40:52 +0000 Message-ID: <99FC4B6EFCEFD44486C35F4C281DC6732146466E@ORSMSX107.amr.corp.intel.com> References: <20180926203446.2004-1-casey.schaufler@intel.com> <20180926203446.2004-6-casey.schaufler@intel.com> <025d4742-5947-545e-f603-502a0c5ee03f@schaufler-ca.com> <99FC4B6EFCEFD44486C35F4C281DC67321463CE3@ORSMSX107.amr.corp.intel.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMWZiNjIzNTYtODQ5Yi00N2Y2LTkzNTMtNWExNTFkZDIzODFkIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiMmw1aGthVnVJRFRwSlNKZU1LVUg3M2loWmM5ZFp2dllkbUhRVnhuZ3N3UXJUeks4R0dlbWJqTEYyWWtiYTE5QSJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.400.15 dlp-reaction: no-action x-originating-ip: [10.22.254.140] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > -----Original Message----- > From: James Morris [mailto:jmorris@namei.org] > Sent: Friday, September 28, 2018 9:33 AM > To: Jann Horn > Cc: Schaufler, Casey ; Casey Schaufler > ; kristen@linux.intel.com; Kernel Hardening > ; Dock, Deneen T > ; kernel list ; > Hansen, Dave ; linux-security-module module@vger.kernel.org>; selinux@tycho.nsa.gov; Arjan van de Ven > > Subject: Re: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel > > On Fri, 28 Sep 2018, Jann Horn wrote: > > > > so with this hard-coded logic, you are saying this case is > > > 'safe' in a sidechannel context. > > > > > > Which hints at the deeper issue that containers are a userland > > > abstraction. Protection of containers needs to be defined by userland > > > policy. > > > > Or just compare mount namespaces additionally/instead. I think that > > containers will always use those, because AFAIK nobody uses chroot() > > for containers, given that the kernel makes absolutely no security > > guarantees about chroot(). > > We can't define this in the kernel. It has no concept of containers. > > People utilize some combination of namespaces and cgroups and call them > containers, There is an amazing variety of things called containers out there. I cite them as a use case, not a requirement. > but we can't make assumptions from the kernel on what any of > this means from a security point of view, and hard-code kernel policy > based on those assumptions. We can assume that namespaces are being used as a separation mechanism. That makes processes in different namespaces potentially vulnerable to side-channel attacks. That's true regardless of whether or not someone is using namespaces to implement containers. > This is violating the principal of separating mechanism and policy, and > also imposing semantics across the kernel/user boundary. The latter > creates an ABI which we can then never break. The effects of the sidechannel security module are not API visible. The potential impact is on performance. This implementation of PTRACE_MODE_SCHED does not change what happens, but may affect when it happens. It is intended to aid in optimizing the use of expensive anti-side-channel countermeasures.