Re: [Patch v6 14/16] x86/speculation: Use STIBP to restrict speculation on non-dumpable task

From: Dave Hansen
Date: Wed Nov 21 2018 - 15:07:50 EST


On 11/20/18 5:27 PM, Linus Torvalds wrote:
> Also, "dumpable" in general is pretty oddly defined to be used for this.
>
> The same (privileged) process can be dumpable or not depending on how
> it was started (ie if it was started by a regular user and became
> trusted through suid, it's not dumpable, but if it was started from a
> root process it remains dumpable.
>
> So I'm just not convinced "dumpability" is meaningful for STIBP.

I think we're hoping that "dumpability" is at least correlated with
sensitive processes. As you've pointed out, it's not a strict
relationship, but there's still some meaning.

Let's not forget about things like gpg that do PR_SET_DUMPABLE
completely independently of the actions that trigger the
/proc/sys/fs/suid_dumpable behavior. Those will be non-dumpable
regardless of how they were started.

In addition, things that are started via suid surely *do* have more
attack surface than something started by root. We've been positing that
these attacks get easier when the attacker and victim have a
relationship, either via RPC, or the network, or *something*. suid
basically *guarantees* there's a relationship between the privileged
thing and _something_ untrusted.

Repurposing dumpable is really screwy and surely imprecise, but it
really is the closest thing that we have without the new ABI.