Re: [PATCH v3 1/3] ptrace: Provide ___ptrace_may_access() that can be applied on arbitrary tasks

From: Jiri Kosina
Date: Wed Sep 05 2018 - 02:24:42 EST


On Tue, 4 Sep 2018, Tim Chen wrote:

> I think STIBP should be an opt in option as it will have significant
> impact on performance. The attack from neighbor thread is pretty
> difficult to pull off considering you have to know what the sibling
> thread is running and its address allocation.

In many scenarios the attacker can just easily taskset itself to the
correct sibling.

> We could also use a security module to opt in the STIBP policy.

I am a bit afraid that we are offloading to sysadmins decisions that are
very hard for them to make, as they require deep understanding of both the
technical details of the security issue in the CPU, and the mitigation.

I surely understand that Intel is doing what they could to minimize the
performance effect, but achieving that by making it a rocket science to
configure it properly doesn't feel right.

So, after giving it a bit more thought, I still believe "I want spectre V2
protection" vs. "I do not care about spectre V2 on my system
(=nospectre_v2)" are the sane options we should provide; so I'll respin v4
of my patchset, including the ptrace check in switch_mm() (statically
patched out on !IBPB-capable systems), and we can then later see whether
the LSM implementation, once it exists, should be used instead.

Thanks,

--
Jiri Kosina
SUSE Labs