From: Willy Tarreau <w@1wt.eu>
To: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@amacapital.net>,
Andy Lutomirski <luto@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Steven Rostedt <rostedt@goodmis.org>,
"security@kernel.org" <security@kernel.org>,
X86 ML <x86@kernel.org>, Borislav Petkov <bp@alien8.de>,
Sasha Levin <sasha.levin@oracle.com>,
LKML <linux-kernel@vger.kernel.org>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Jan Beulich <jbeulich@suse.com>,
xen-devel <xen-devel@lists.xen.org>
Subject: Re: [PATCH v3 2/3] x86/ldt: Make modify_ldt optional
Date: Fri, 24 Jul 2015 09:48:01 +0200 [thread overview]
Message-ID: <20150724074801.GA3396@1wt.eu> (raw)
In-Reply-To: <20150724072451.GB3293@1wt.eu>
On Fri, Jul 24, 2015 at 09:24:51AM +0200, Willy Tarreau wrote:
> On Thu, Jul 23, 2015 at 05:09:21PM -0700, Kees Cook wrote:
> > > All this to say that probably only a handful of tricky syscalls would
> > > need an on/off switch but clearly not all of them at all, so I'd rather
> > > add a few entries just for the relevant ones, mainly to fix compatibility
> > > issues and nothing more. Eg: what's the point of disabling exit(), wait(),
> > > kill(), fork() or getpid()... It would only increase the difficulty to
> > > sort out bug reports.
> > >
> > > Just my opinion,
> >
> > Well, I would really like to have something like this around so that I
> > can trivially globally disable syscalls when they have security risks.
>
> I understand, but while maybe it could make sense to have the option on
> any linux-specific syscall, having it on the standard, portable ones
> will be useless as disabling them will break most applications.
>
> > My hack[1] to disable kexec_load, for example, was terrible while I
> > waited for a kernel that supported the disable_kexec_load sysctl.
>
> This typically is one linux-specific syscall which no regular application
> would rely on and which can come with side effects. I think there are not
> *that* many, none of them is performance-critical, and they'd rather be
> dealt with one at a time.
Looking at syscall_64.tbl, I'm seeing that the first ~133 syscalls
have no reason for being disabled if we don't want to break portable
applications, with the exception of ptrace I guess. Past this, things
like uselib, personality, sysfs, prctl etc... could be disabled. There
are still some exceptions in this area but I don't see them as critical
if someone would accidently disable them (eg: getpriority, mlock, ...).
Others like chroot, setrlimit, adjtimex, settimeofday, mount, umount,
time need to be kept. And a few ones like sync or sethostname would be
nice to have optional in order to lock down a system at boot. Many of
the other ones are ns-specific versions of the first ones (*at) and
would rather not being made optional either. I think maybe we can find
between 10 and 30 that would make sense to optionally disable.
Willy
next prev parent reply other threads:[~2015-07-24 7:48 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-22 19:23 [PATCH v3 0/3] x86: modify_ldt improvement, test, and config option Andy Lutomirski
2015-07-22 19:23 ` [PATCH v3 1/3] x86/ldt: Make modify_ldt synchronous Andy Lutomirski
2015-07-22 22:20 ` Boris Ostrovsky
2015-07-22 22:20 ` Boris Ostrovsky
2015-07-25 4:13 ` Boris Ostrovsky
2015-07-25 4:58 ` Andy Lutomirski
2015-07-25 4:58 ` Andy Lutomirski
2015-07-25 4:13 ` Boris Ostrovsky
2015-07-24 6:37 ` Borislav Petkov
2015-07-24 6:37 ` Borislav Petkov
2015-07-24 15:29 ` Borislav Petkov
2015-07-24 15:29 ` Borislav Petkov
2015-07-25 4:52 ` Andy Lutomirski
2015-07-25 8:37 ` Borislav Petkov
2015-07-25 8:37 ` Borislav Petkov
2015-07-25 4:52 ` Andy Lutomirski
2015-07-22 19:23 ` Andy Lutomirski
2015-07-22 19:23 ` [PATCH v3 2/3] x86/ldt: Make modify_ldt optional Andy Lutomirski
2015-07-22 19:23 ` Andy Lutomirski
2015-07-23 7:13 ` Jan Beulich
2015-07-23 7:13 ` Jan Beulich
2015-07-23 10:24 ` Willy Tarreau
2015-07-23 10:24 ` Willy Tarreau
2015-07-23 23:36 ` Kees Cook
2015-07-23 23:40 ` Andy Lutomirski
2015-07-23 23:40 ` Andy Lutomirski
2015-07-23 23:58 ` Willy Tarreau
2015-07-23 23:58 ` Willy Tarreau
2015-07-24 0:09 ` Kees Cook
2015-07-24 7:24 ` Willy Tarreau
2015-07-24 7:48 ` Willy Tarreau
2015-07-24 7:48 ` Willy Tarreau [this message]
2015-07-24 7:24 ` Willy Tarreau
2015-07-24 0:09 ` Kees Cook
2015-07-23 23:36 ` Kees Cook
2015-07-22 19:23 ` [PATCH v3 3/3] selftests/x86, x86/ldt: Add a selftest for modify_ldt Andy Lutomirski
2015-07-22 19:23 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150724074801.GA3396@1wt.eu \
--to=w@1wt.eu \
--cc=andrew.cooper3@citrix.com \
--cc=boris.ostrovsky@oracle.com \
--cc=bp@alien8.de \
--cc=jbeulich@suse.com \
--cc=keescook@chromium.org \
--cc=konrad.wilk@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=sasha.levin@oracle.com \
--cc=security@kernel.org \
--cc=x86@kernel.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.