Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp2334365ybb;
        Sat, 21 Mar 2020 19:30:38 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vsJ4uSs0xhB8l9uJqwstOrVe+BagA/3XpiKmqSEcOro9lnAUq62N1zED9W2Rr9mCaw+WMEx
X-Received: by 2002:a9d:5cc8:: with SMTP id r8mr13217528oti.345.1584844237967;
        Sat, 21 Mar 2020 19:30:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1584844237; cv=none;
        d=google.com; s=arc-20160816;
        b=X5TtJflvxzu6czxC69ZYTOSbpRnIMOGtMnkBfaokxUdl3TomDFBraZMuP0p1a0tD3M
         I9r909rxMvLDNARU/4BrUhpH9qY3USdl96Mf5aCtk9WcX25xps1dvvhcYF1TlXZd64n+
         aTZqZ87W39JlDeKjSojpXyo5SnYqljpLRXtd2NBTmwZXsxoPjrCx57yH5p8RkVjGxJbq
         t72TF5Y3KJa22tieBeHwOMKfC1J+fs9U4yXklzpofWnVheVKkjN7eTcubzKL9Hi20mjF
         IUOlEh/zu8xVWTF4+BO7wp3PzYuPpXnnNpvpJg9gnQHfWR5TEanwjsN0N4T551D8JWWO
         IM1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=arQnpFHOoa7S/s1PfPQOvxZBgmi2F7VexqtjKFUPC54=;
        b=nAJY5BiBHDOWJvSkFmhnffHYWWxUZpfknYY5g6xNZQemJAVBN6rWTGk4NQW/WvriEU
         tAjN0FyR1sfjbArcLDnkH4v58IJXAasUbqipZfj068P+lx7t18zH/gz2l0lhmYDSnwsp
         PM5roRwjW1smjGq7I+N9FBdBJ+FYCatpy/CR0ZKTS53jcBzv54EJbejM0N9nXT0oIAtS
         rpSHceCOn/ZkxdsW9CeWqboy9WWzXvJM5GVh9ubQgZ9jRGeTdq+0960ZmBzS7fecgyn6
         y/B/9hWyt8D/gLaPfyU7voF391WBF8GrbcWDcuodI2y7rHRcoUqityazwPcBd0pmfqjb
         v4mA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=Say68nV5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v20si5993397otn.278.2020.03.21.19.30.25;
        Sat, 21 Mar 2020 19:30:37 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=Say68nV5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728118AbgCVC31 (ORCPT <rfc822;tnerolf.eriarrach@gmail.com>
        + 99 others); Sat, 21 Mar 2020 22:29:27 -0400
Received: from mail-pf1-f196.google.com ([209.85.210.196]:38254 "EHLO
        mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726409AbgCVC30 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 21 Mar 2020 22:29:26 -0400
Received: by mail-pf1-f196.google.com with SMTP id z25so1230875pfa.5
        for <linux-kernel@vger.kernel.org>; Sat, 21 Mar 2020 19:29:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to;
        bh=arQnpFHOoa7S/s1PfPQOvxZBgmi2F7VexqtjKFUPC54=;
        b=Say68nV5UAUWTbMz1IP0uAqUmYQ6yqK1z+HBjPCjOGsfLk4NwqZDgBV3dMnIoTO3OZ
         XLnHPHX9pBvXV+ru/Chopk5a/6uurdLDcJMFNwkfvFgjtoDJ7uLm1fDGavs/2KLSsiUA
         1eQbGceXCdj1BKwMvaXiAqQknCxx5lWX4Mwjs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to;
        bh=arQnpFHOoa7S/s1PfPQOvxZBgmi2F7VexqtjKFUPC54=;
        b=EhgVax+G6k9RF3VF1NEIYVq+kd3cSSmnLNdrmtirTqVR+e++MSaKKR39C6hrbJBTIq
         ua9uC2pNvZtsb1t1ZzEJZoFji+qRliFqs7cvGm0S5Oi4Ox0ou4hp+5/3XSl/KQQwdcMt
         4M8DQKd59ZAAsU3GAX7jH5dnP9O8fKSGDHmb6o/iCdONY3SAVuJrZmjHUBPwk9secwR/
         oVkRx7P1r+O9eGx/QtJRmnDXhqQAWBkhwU+yC0jkx0dMGl36eU40bfDsKelTrAYrhpZy
         ycZBHUM8rF8CH5fCBblxnDMl9/FCXwPcdzg16LtNV1LkQ36l6BX70lf9iZ5EVxrd5zDn
         7XGQ==
X-Gm-Message-State: ANhLgQ2+8QctsKzHTjyYfc5CNw87QKuTJqyyS4XALnobWhUnkLZglGhf
        TPnLyQVOYw4i7OAFW0jfkK7V+Q==
X-Received: by 2002:aa7:9698:: with SMTP id f24mr17463029pfk.94.1584844165245;
        Sat, 21 Mar 2020 19:29:25 -0700 (PDT)
Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163])
        by smtp.gmail.com with ESMTPSA id b19sm8262224pju.12.2020.03.21.19.29.23
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 21 Mar 2020 19:29:23 -0700 (PDT)
Date:   Sat, 21 Mar 2020 19:29:22 -0700
From:   Kees Cook <keescook@chromium.org>
To:     Thomas Gleixner <tglx@linutronix.de>
Cc:     Andi Kleen <andi@firstfloor.org>, x86@kernel.org,
        linux-kernel@vger.kernel.org, Andi Kleen <ak@linux.intel.com>,
        Andy Lutomirski <luto@amacapital.net>,
        Will Drewry <wad@chromium.org>
Subject: Re: [PATCH] x86/speculation: Allow overriding seccomp speculation
 disable
Message-ID: <202003211916.8078081E0@keescook>
References: <20200312231222.81861-1-andi@firstfloor.org>
 <87sgi1rcje.fsf@nanos.tec.linutronix.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <87sgi1rcje.fsf@nanos.tec.linutronix.de>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, Mar 21, 2020 at 03:46:29PM +0100, Thomas Gleixner wrote:
> Cc+: Seccomp maintainers ....

Thanks!

> Andi Kleen <andi@firstfloor.org> writes:
> > [...]
> >
> > Longer term we probably need to discuss if the seccomp heuristic
> > is still warranted and should be perhaps changed. It seemed
> > like a good idea when these vulnerabilities were new, and
> > no web browsers supported site isolation. But with site isolation
> > widely deployed -- Chrome has it on by default, and as I understand
> > it, Firefox is going to enable it by default soon. And other seccomp
> > users (like sshd or systemd) probably don't really need it.
> > Given that it's not clear the default heuristic is still a good
> > idea.
> >
> > But anyways this patch doesn't change any defaults, just
> > let's applications override it.
> 
> It changes the enforcement and I really want the seccomp people to have
> a say here.

None of this commit makes sense to me. :)

The point of the defaults was to grandfather older seccomp users into
speculation mitigations. Newly built seccomp users can choose to disable
this with SECCOMP_FILTER_FLAG_SPEC_ALLOW when applying seccomp filters.
The rationale was that once a process knows how to manage its exposure,
it can choose to leave off the automatic enabling. I don't see any
mention of that method in the commit log, so if there is some reason
it's not workable, that would need to be discussed first.

And the force disable matches the design goals of seccomp: no applied
restrictions can be later relaxed for a process. I'm more in favor of
changing the behavior of SPEC_STORE_BYPASS_CMD_AUTO, but probably not for
another 3 years at least. (To get us to at least 5 years since Meltdown,
which is relatively close to various longer LTS cycles.)

-Kees

-- 
Kees Cook