From: Thomas Gleixner <tglx@linutronix.de>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Jiri Kosina <jikos@kernel.org>,
"Schaufler, Casey" <casey.schaufler@intel.com>,
Ingo Molnar <mingo@redhat.com>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Andrea Arcangeli <aarcange@redhat.com>,
"Woodhouse, David" <dwmw@amazon.co.uk>,
Andi Kleen <ak@linux.intel.com>,
Tim Chen <tim.c.chen@linux.intel.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"x86@kernel.org" <x86@kernel.org>
Subject: Re: [PATCH v6 0/3] Harden spectrev2 userspace-userspace protection
Date: Sat, 22 Sep 2018 15:30:07 +0200 (CEST) [thread overview]
Message-ID: <alpine.DEB.2.21.1809221527140.1391@nanos.tec.linutronix.de> (raw)
In-Reply-To: <alpine.DEB.2.21.1809221219270.1391@nanos.tec.linutronix.de>
On Sat, 22 Sep 2018, Thomas Gleixner wrote:
> On Sat, 22 Sep 2018, Peter Zijlstra wrote:
> > This has some unfortunate duplication.
> >
> > Lets go with it for now, but I'll see if I can do something about that
> > later.
>
> Yes, I know. I tried to make the duplication smaller, but all attempts
> ended up being a convoluted mess. I'll try again after applying more
> coffee.
Lunch and coffee indeed made brain work better. The simple solution was way
too obvious.
Thanks,
tglx
8<--------------------
--- a/arch/x86/mm/tlb.c
+++ b/arch/x86/mm/tlb.c
@@ -7,6 +7,7 @@
#include <linux/export.h>
#include <linux/cpu.h>
#include <linux/debugfs.h>
+#include <linux/ptrace.h>
#include <asm/tlbflush.h>
#include <asm/mmu_context.h>
@@ -180,6 +181,19 @@ static void sync_current_stack_to_mm(str
}
}
+static bool ibpb_needed(struct task_struct *tsk, u64 last_ctx_id)
+{
+ /*
+ * Check if the current (previous) task has access to the memory
+ * of the @tsk (next) task. If access is denied, make sure to
+ * issue a IBPB to stop user->user Spectre-v2 attacks.
+ *
+ * Note: __ptrace_may_access() returns 0 or -ERRNO.
+ */
+ return (tsk && tsk->mm && tsk->mm->context.ctx_id != last_ctx_id &&
+ ptrace_may_access_sched(tsk, PTRACE_MODE_SPEC_IBPB));
+}
+
void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next,
struct task_struct *tsk)
{
@@ -262,18 +276,13 @@ void switch_mm_irqs_off(struct mm_struct
* one process from doing Spectre-v2 attacks on another.
*
* As an optimization, flush indirect branches only when
- * switching into processes that disable dumping. This
- * protects high value processes like gpg, without having
- * too high performance overhead. IBPB is *expensive*!
- *
- * This will not flush branches when switching into kernel
- * threads. It will also not flush if we switch to idle
- * thread and back to the same process. It will flush if we
- * switch to a different non-dumpable process.
+ * switching into a processes that can't be ptrace by the
+ * current one (as in such case, attacker has much more
+ * convenient way how to tamper with the next process than
+ * branch buffer poisoning).
*/
- if (tsk && tsk->mm &&
- tsk->mm->context.ctx_id != last_ctx_id &&
- get_dumpable(tsk->mm) != SUID_DUMP_USER)
+ if (static_cpu_has(X86_FEATURE_USE_IBPB) &&
+ ibpb_needed(tsk, last_ctx_id))
indirect_branch_prediction_barrier();
if (IS_ENABLED(CONFIG_VMAP_STACK)) {
--- a/include/linux/ptrace.h
+++ b/include/linux/ptrace.h
@@ -62,14 +62,17 @@ extern void exit_ptrace(struct task_stru
#define PTRACE_MODE_READ 0x01
#define PTRACE_MODE_ATTACH 0x02
#define PTRACE_MODE_NOAUDIT 0x04
-#define PTRACE_MODE_FSCREDS 0x08
-#define PTRACE_MODE_REALCREDS 0x10
+#define PTRACE_MODE_FSCREDS 0x08
+#define PTRACE_MODE_REALCREDS 0x10
+#define PTRACE_MODE_SCHED 0x20
+#define PTRACE_MODE_IBPB 0x40
/* shorthands for READ/ATTACH and FSCREDS/REALCREDS combinations */
#define PTRACE_MODE_READ_FSCREDS (PTRACE_MODE_READ | PTRACE_MODE_FSCREDS)
#define PTRACE_MODE_READ_REALCREDS (PTRACE_MODE_READ | PTRACE_MODE_REALCREDS)
#define PTRACE_MODE_ATTACH_FSCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_FSCREDS)
#define PTRACE_MODE_ATTACH_REALCREDS (PTRACE_MODE_ATTACH | PTRACE_MODE_REALCREDS)
+#define PTRACE_MODE_SPEC_IBPB (PTRACE_MODE_ATTACH_REALCREDS | PTRACE_MOD_IBPB)
/**
* ptrace_may_access - check whether the caller is permitted to access
@@ -87,6 +90,20 @@ extern void exit_ptrace(struct task_stru
*/
extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
+/**
+ * ptrace_may_access - check whether the caller is permitted to access
+ * a target task.
+ * @task: target task
+ * @mode: selects type of access and caller credentials
+ *
+ * Returns true on success, false on denial.
+ *
+ * Similar to ptrace_may_access(). Only to be called from context switch
+ * code. Does not call into audit and the regular LSM hooks due to locking
+ * constraints.
+ */
+extern bool ptrace_may_access_sched(struct task_struct *task, unsigned int mode);
+
static inline int ptrace_reparented(struct task_struct *child)
{
return !same_thread_group(child->real_parent, child->parent);
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -261,6 +261,9 @@ static int ptrace_check_attach(struct ta
static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
{
+ if (mode & PTRACE_MODE_SCHED)
+ return false;
+
if (mode & PTRACE_MODE_NOAUDIT)
return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE);
else
@@ -328,9 +331,16 @@ static int __ptrace_may_access(struct ta
!ptrace_has_cap(mm->user_ns, mode)))
return -EPERM;
+ if (mode & PTRACE_MODE_SCHED)
+ return 0;
return security_ptrace_access_check(task, mode);
}
+bool ptrace_may_access_sched(struct task_struct *task, unsigned int mode)
+{
+ return __ptrace_may_access(task, mode | PTRACE_MODE_SCHED);
+}
+
bool ptrace_may_access(struct task_struct *task, unsigned int mode)
{
int err;
next prev parent reply other threads:[~2018-09-22 13:30 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-10 9:22 [PATCH v5 0/2] Harden spectrev2 userspace-userspace protection Jiri Kosina
2018-09-10 9:23 ` [PATCH v5 1/2] x86/speculation: apply IBPB more strictly to avoid cross-process data leak Jiri Kosina
2018-09-10 18:26 ` Schaufler, Casey
2018-09-10 19:14 ` Jiri Kosina
2018-09-10 19:26 ` Schaufler, Casey
2018-09-10 19:36 ` Jiri Kosina
2018-09-10 20:27 ` Schaufler, Casey
2018-09-10 20:42 ` Jiri Kosina
2018-09-10 21:29 ` Schaufler, Casey
2018-09-10 21:36 ` Jiri Kosina
2018-09-11 21:15 ` Thomas Gleixner
2018-09-11 22:25 ` Schaufler, Casey
2018-09-12 12:01 ` Thomas Gleixner
2018-10-21 19:38 ` Pavel Machek
2018-10-21 23:32 ` Jiri Kosina
2018-09-10 9:24 ` [PATCH v5 2/2] x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation Jiri Kosina
2018-09-10 10:04 ` Thomas Gleixner
2018-09-10 11:01 ` Jiri Kosina
2018-09-10 11:46 ` Jiri Kosina
2018-09-11 17:32 ` Tim Chen
2018-09-11 21:16 ` Thomas Gleixner
2018-09-11 21:46 ` Thomas Gleixner
2018-09-12 17:16 ` Tom Lendacky
2018-09-12 21:26 ` Tim Chen
2018-09-12 21:45 ` Jiri Kosina
2018-09-12 22:56 ` Tim Chen
2018-09-13 14:53 ` Tom Lendacky
2018-09-12 9:05 ` [PATCH v6 0/3] Harden spectrev2 userspace-userspace protection Jiri Kosina
2018-09-12 9:06 ` [PATCH v6 1/3] x86/speculation: apply IBPB more strictly to avoid cross-process data leak Jiri Kosina
2018-09-13 0:04 ` Schaufler, Casey
2018-09-14 11:00 ` Jiri Kosina
2018-09-14 11:05 ` Thomas Gleixner
2018-09-12 9:07 ` [PATCH v6 2/3] x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation Jiri Kosina
2018-09-12 19:14 ` Thomas Gleixner
2018-09-12 19:16 ` Jiri Kosina
2018-09-12 9:08 ` [PATCH v6 3/3] x86/speculation: Propagate information about RSB filling mitigation to sysfs Jiri Kosina
2018-09-17 16:09 ` [PATCH v6 0/3] Harden spectrev2 userspace-userspace protection Schaufler, Casey
2018-09-19 15:48 ` Peter Zijlstra
2018-09-22 7:38 ` Jiri Kosina
2018-09-22 9:53 ` Thomas Gleixner
2018-09-22 10:18 ` Peter Zijlstra
2018-09-22 10:20 ` Thomas Gleixner
2018-09-22 13:30 ` Thomas Gleixner [this message]
2018-09-22 14:31 ` Peter Zijlstra
2018-09-24 8:43 ` Jiri Kosina
2018-09-24 12:38 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.21.1809221527140.1391@nanos.tec.linutronix.de \
--to=tglx@linutronix.de \
--cc=aarcange@redhat.com \
--cc=ak@linux.intel.com \
--cc=casey.schaufler@intel.com \
--cc=dwmw@amazon.co.uk \
--cc=jikos@kernel.org \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=tim.c.chen@linux.intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).