Re: [RFC PATCH v2 6/6] x86/entry/pti: don't switch PGD on when pti_disable is set

From: Dave Hansen
Date: Thu Jan 11 2018 - 13:36:12 EST


On 01/11/2018 07:44 AM, Willy Tarreau wrote:
>> 4. Cleared on setuid() and friends
> This one causes me a problem : some daemons already take care of dropping
> privileges after the initial fork() for the sake of security. Haproxy
> typically does this at boot :
>
> - parse config
> - chroot to /var/empty
> - setuid(dedicated_uid)
> - fork()

This makes me a _bit_ nervous. I think Andy touched on this, but I'll
say it another way: you want PTI turned off because you trust an app to
be good, but you also drop permissions because it is exposed to an
environment where you do *not* fully trust it.

I'm not sure how you reconcile that.

If your proxy gets compromised, and pti is turned off, you are entirely
exposed to meltdown from that process. I don't know exactly what you
are doing, but isn't this proxy sitting there shuffling untrusted user
data around all day?