lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 12 Jan 2018 13:18:06 -0800
From:   Andy Lutomirski <luto@...capital.net>
To:     Ingo Molnar <mingo@...nel.org>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        Willy Tarreau <w@....eu>, Andy Lutomirski <luto@...nel.org>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Peter Zijlstra <peterz@...radead.org>,
        LKML <linux-kernel@...r.kernel.org>, X86 ML <x86@...nel.org>,
        Borislav Petkov <bp@...en8.de>,
        Brian Gerst <brgerst@...il.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Josh Poimboeuf <jpoimboe@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Kees Cook <keescook@...omium.org>
Subject: Re: [RFC PATCH v2 6/6] x86/entry/pti: don't switch PGD on when pti_disable is set



> On Jan 12, 2018, at 12:22 PM, Ingo Molnar <mingo@...nel.org> wrote:
> 
> 
> * Andy Lutomirski <luto@...capital.net> wrote:
> 
>>> Oh, and yes, I think the npti flag should also break ptrace(). I do agree with 
>>> Andy that it's a "capability", although I do not think it should actually be 
>>> implemented as one.
>> 
>> For all that Linux capabilities are crap, nopti walks like one and quacks like 
>> one.  It needs to affect ptrace() permissions, it needs a way to disable it 
>> systemwide, it needs LSM integration, etc.  Using CAP_DISABLE_PTI gives us all 
>> of this without tons of churn, auditing, and a whole new configuration thingy 
>> for each LSM.  And I avoids permanently polluting ptrace checks, the LSM 
>> interface, etc for what is, essentially, a performance hack to work around a 
>> blatant error in the design of some CPUs.
>> 
>> Plus, with ambient caps, we already did the nasty part of the with and finished 
>> all the relevant bikeshedding.
>> 
>> So I'd rather just hold my nose and add the new capability bit.
> 
> Those all seem pretty valid arguments to me.
> 
> 

FWIW, if we take this approach, then either dropping the capability should turn PTI back on or we need to deal with the corner case of PTI off and capability not present.  The latter is a bit awkward but not necessarily a show stopper.  I think that all we need to do is to update the ptrace rules and maybe make PTI turn back on when we execve.  At least there's no need to muck around with LSM hooks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ