From: Andi Kleen <ak@linux.intel.com>
To: speck@linutronix.de
Subject: [MODERATED] Re: [PATCH SSBv11 0/3] seccomp 1
Date: Thu, 3 May 2018 07:57:29 -0700 [thread overview]
Message-ID: <20180503145729.GX75137@tassilo.jf.intel.com> (raw)
In-Reply-To: <20180503140932.t63gcxlaohfnavxk@gmail.com>
> The other problem with 'site isolation' is that it doesn't necessarily solve or
> even mitigate the problem: if for example malicious Javascript is injected from an
> ad network, supposedly safely sandboxed, but it can still anomalously read site
If the ad network injects JS on your site it can already read everything
of that site in the JS context. So there's no threat on the JS level data.
But I believe normally ads are running in a different site context anyways,
because they are served from the adservers, not the site's server.
> local data via leaky speculation then that's still a dangerous violation of
> sandboxing constraints: it could read pointers to defeat ASLR,
That's true, but then it would still be jailed in the seccomp syscall sandbox.
Also if there's an attack where the pointers help it's likely already
exploitable with standard spraying etc. techniques.
> it could read local keys or other data it's not supposed to read.
Everything sensitive (and especially keys) is supposed to be in other processes.
> Once a browser specifically knows that it has fully mitigated against an attack it
> can turn off any default mitigation early in its init sequence via the prctl, when
> it still has full OS access and no seccomp isolation. All child tasks should
> inherit that.
Ok, so the browser has to then essentially work around that Linux bogosity.
Would be better to not have it in the first place.
-Andi
next prev parent reply other threads:[~2018-05-03 14:57 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-03 0:44 [MODERATED] [PATCH SSBv11 0/3] seccomp 1 Kees Cook
2018-05-01 22:07 ` [MODERATED] [PATCH SSBv11 3/3] seccomp 0 Kees Cook
2018-05-01 22:19 ` [MODERATED] [PATCH SSBv11 1/3] seccomp 2 Kees Cook
2018-05-01 22:31 ` [MODERATED] [PATCH SSBv11 2/3] seccomp 3 Kees Cook
2018-05-03 8:58 ` [MODERATED] Re: [PATCH SSBv11 3/3] seccomp 0 Peter Zijlstra
2018-05-03 9:21 ` Thomas Gleixner
2018-05-03 16:03 ` [MODERATED] " Kees Cook
2018-05-03 12:29 ` [MODERATED] Re: [PATCH SSBv11 0/3] seccomp 1 Andi Kleen
2018-05-03 12:45 ` Thomas Gleixner
2018-05-03 14:09 ` [MODERATED] " Ingo Molnar
2018-05-03 14:57 ` Andi Kleen [this message]
2018-05-03 17:04 ` Kees Cook
2018-05-03 18:58 ` Andi Kleen
2018-05-03 23:17 ` Kees Cook
2018-05-03 14:47 ` Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180503145729.GX75137@tassilo.jf.intel.com \
--to=ak@linux.intel.com \
--cc=speck@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.