RE: [PATCH v5 1/2] x86/speculation: apply IBPB more strictly to avoid cross-process data leak

From: Schaufler, Casey
Date: Mon Sep 10 2018 - 16:27:29 EST


> -----Original Message-----
> From: Jiri Kosina [mailto:jikos@xxxxxxxxxx]
> Sent: Monday, September 10, 2018 12:36 PM
> To: Schaufler, Casey <casey.schaufler@xxxxxxxxx>
> Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>; Ingo Molnar <mingo@xxxxxxxxxx>;
> Peter Zijlstra <peterz@xxxxxxxxxxxxx>; Josh Poimboeuf
> <jpoimboe@xxxxxxxxxx>; Andrea Arcangeli <aarcange@xxxxxxxxxx>;
> Woodhouse, David <dwmw@xxxxxxxxxxxx>; Andi Kleen <ak@xxxxxxxxxxxxxxx>;
> Tim Chen <tim.c.chen@xxxxxxxxxxxxxxx>; linux-kernel@xxxxxxxxxxxxxxx;
> x86@xxxxxxxxxx
> Subject: RE: [PATCH v5 1/2] x86/speculation: apply IBPB more strictly to avoid
> cross-process data leak
>
> On Mon, 10 Sep 2018, Schaufler, Casey wrote:
>
> > Yes, It would require that this patch be tested against all the existing
> > security modules that provide a ptrace_access_check hook. It's not like
> > the security module writers don't have a bunch of locking issues to deal
> > with.
>
> Yeah, that was indeed my concern.
>
> So can we agree on doing this in the 2nd envisioned step, when this is
> going to be replaced by LSM as discussed [1] previously?

It you're going to call __ptrace_access_check(), which already includes
an LSM hook, it makes a whole lot of sense to make that the path for doing
any module specific checks. It seems wrong to disable the LSM hook there,
then turn around and introduce a new one that does the check you just
disabled. The patches I had proposed created a new LSM hook because there
was not path to an existing hook. With your addition of __ptrace_access_check()
that is no longer an issue once any locking problems are resolved. Rather than
use a new hook, the existing ptrace hooks ought to work just fine, and any new
checks can be added in a new module that has its own ptrace_access_check hook.

> [1]
> http://lkml.kernel.org/r/99FC4B6EFCEFD44486C35F4C281DC67321447094@OR
> SMSX107.amr.corp.intel.com
>
> Thanks,
>
> --
> Jiri Kosina
> SUSE Labs