lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 11 Jan 2018 11:33:09 -0800
From:   Andy Lutomirski <luto@...capital.net>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     Willy Tarreau <w@....eu>, Andy Lutomirski <luto@...nel.org>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Peter Zijlstra <peterz@...radead.org>,
        LKML <linux-kernel@...r.kernel.org>, X86 ML <x86@...nel.org>,
        Borislav Petkov <bp@...en8.de>,
        Brian Gerst <brgerst@...il.com>,
        Ingo Molnar <mingo@...nel.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Josh Poimboeuf <jpoimboe@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Kees Cook <keescook@...omium.org>
Subject: Re: [RFC PATCH v2 6/6] x86/entry/pti: don't switch PGD on when pti_disable is set



> On Jan 11, 2018, at 10:26 AM, Linus Torvalds <torvalds@...ux-foundation.org> wrote:
> 
> On Thu, Jan 11, 2018 at 10:25 AM, Linus Torvalds
> <torvalds@...ux-foundation.org> wrote:
>> 
>> The other case may be the CLONE_NEW* operations. I *think* they are
>> noops as far as PTI settings would be, but I think people should think
>> about them.
> 
> Oh, and yes, I think the npti flag should also break ptrace(). I do
> agree with Andy that it's a "capability", although I do not think it
> should actually be implemented as one.

For all that Linux capabilities are crap, nopti walks like one and quacks like one.  It needs to affect ptrace() permissions, it needs a way to disable it systemwide, it needs LSM integration, etc.  Using CAP_DISABLE_PTI gives us all of this without tons of churn, auditing, and a whole new configuration thingy for each LSM.  And I avoids permanently polluting ptrace checks, the LSM interface, etc for what is, essentially, a performance hack to work around a blatant error in the design of some CPUs.

Plus, with ambient caps, we already did the nasty part of the with and finished all the relevant bikeshedding.

So I'd rather just hold my nose and add the new capability bit.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ