RE: [PATCH v3 1/3] ptrace: Provide ___ptrace_may_access() that can be applied on arbitrary tasks
From: Schaufler, Casey
Date: Tue Sep 04 2018 - 14:10:52 EST
> -----Original Message-----
> From: Jiri Kosina [mailto:jikos@xxxxxxxxxx]
> Sent: Tuesday, September 04, 2018 10:35 AM
> To: Tim Chen <tim.c.chen@xxxxxxxxxxxxxxx>
> Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>; Ingo Molnar <mingo@xxxxxxxxxx>;
> Peter Zijlstra <peterz@xxxxxxxxxxxxx>; Josh Poimboeuf
> <jpoimboe@xxxxxxxxxx>; Andrea Arcangeli <aarcange@xxxxxxxxxx>;
> Woodhouse, David <dwmw@xxxxxxxxxxxx>; Oleg Nesterov
> <oleg@xxxxxxxxxx>; Schaufler, Casey <casey.schaufler@xxxxxxxxx>; linux-
> kernel@xxxxxxxxxxxxxxx; x86@xxxxxxxxxx
> Subject: Re: [PATCH v3 1/3] ptrace: Provide ___ptrace_may_access() that can
> be applied on arbitrary tasks
>
> On Tue, 4 Sep 2018, Tim Chen wrote:
>
> > > Current ptrace_may_access() implementation assumes that the 'source'
> task is
> > > always the caller (current).
> > >
> > > Expose ___ptrace_may_access() that can be used to apply the check on
> arbitrary
> > > tasks.
> >
> > Casey recently has proposed putting the decision making of whether to
> > do IBPB in the security module.
> >
> > https://lwn.net/ml/kernel-hardening/20180815235355.14908-4-
> casey.schaufler@xxxxxxxxx/
> >
> > That will have the advantage of giving the administrator a more flexibility
> > of when to turn on IBPB. The policy is very similar to what you have proposed
> here
> > but I think the security module is a more appropriate place for the security
> policy.
>
> Yeah, well, honestly, I have a bit hard time buying the "generic
> sidechannel prevention security module" idea, given how completely
> different in nature all the mitigations have been so far. I don't see that
> trying to abstract this somehow provides more clarity.
The real reason to use an LSM based approach is that overloading ptrace
checks is a Really Bad Idea. Ptrace is a user interface. Side-channel is a
processor interface. Even if ptrace_may_access() does exactly what you
want it to for side-channel mitigation today it would be incredibly
inappropriate to tie the two together for eternity. You don't want to restrict
the ptrace checks to only those things that are also good for side-channel,
and vice versa.
> So if this should be done in LSM, it'd probably have to be written by
> someone else than me :) who actually understands how the "sidechannel LSM"
> idea works.
Yes. That would be me.
>
> Thanks,
>
> --
> Jiri Kosina
> SUSE Labs