Re: Avoid speculative indirect calls in kernel

From: Alan Cox
Date: Fri Jan 05 2018 - 07:13:04 EST


On Fri, 5 Jan 2018 01:54:13 +0100 (CET)
Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote:

> On Thu, 4 Jan 2018, Jon Masters wrote:
> > P.S. I've an internal document where I've been tracking "nice to haves"
> > for later, and one of them is whether it makes sense to tag binaries as
> > "trusted" (e.g. extended attribute, label, whatever). It was something I
> > wanted to bring up at some point as potentially worth considering.
>
> Scratch that. There is no such thing as a trusted binary.

There is if you are using signing and the like. I'm sure SELiux and
friends will grow the ability to set per process policy but that's
certainly not a priority.

However the question is wrong. 'trusted' is a binary operator not a unary
one.

The question that matters is

If I am executing A and about to switch to B does B trust A

because if B trusts A (which in Linuxspeak is 'can A ptrace B') then
there's not much point worrying about protection between them because what
you are trying to prevent is already expressly permitted.

It's even more important if there is a cost to the barrier imposition
because not only can you skip it sometimes but your scheduler can
schedule considering that cost just as it does cache eviction costs.

Alan