From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754811AbbG0Vin (ORCPT ); Mon, 27 Jul 2015 17:38:43 -0400 Received: from wtarreau.pck.nerim.net ([62.212.114.60]:30710 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754578AbbG0Vim (ORCPT ); Mon, 27 Jul 2015 17:38:42 -0400 Date: Mon, 27 Jul 2015 23:37:16 +0200 From: Willy Tarreau To: Kees Cook Cc: Andy Lutomirski , Andy Lutomirski , Peter Zijlstra , Steven Rostedt , "security@kernel.org" , X86 ML , Borislav Petkov , Sasha Levin , "linux-kernel@vger.kernel.org" , Konrad Rzeszutek Wilk , Boris Ostrovsky , Andrew Cooper , Jan Beulich , xen-devel Subject: Re: [PATCH 4/3] x86/ldt: allow to disable modify_ldt at runtime Message-ID: <20150727213716.GA19783@1wt.eu> References: <7286d77aa81abc38dc40362e2439861427064f6f.1437802102.git.luto@kernel.org> <20150725062343.GA3902@1wt.eu> <20150725075052.GA3918@1wt.eu> <20150725130340.GA17257@1wt.eu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 27, 2015 at 12:04:54PM -0700, Kees Cook wrote: > On Sat, Jul 25, 2015 at 6:03 AM, Willy Tarreau wrote: > > On Sat, Jul 25, 2015 at 09:50:52AM +0200, Willy Tarreau wrote: > >> On Fri, Jul 24, 2015 at 11:44:52PM -0700, Andy Lutomirski wrote: > >> > I'm all for it, but I think it should be hard-disablable in config, > >> > too, for the -tiny people. > >> > >> I totally agree. > >> > >> > If we add a runtime disable, let's do a > >> > separate patch, and you and Kees can fight over how general it should > >> > be. > >> > >> Initially I was thinking about changing it for a 3-state option but > >> that would prevent X86_16BIT from being hard-disablable, so I'll do > >> something completely separate. > > > > So here comes the proposed patch. It adds a default setting for the > > sysctl when the option is not hard-disabled (eg: distros not wanting > > to take risks with legacy apps). It suggests to leave the option off. > > In case a syscall is blocked, a printk_ratelimited() is called with > > relevant info (program name, pid, uid) so that the admin can decide > > whether it's a legitimate call or not. Eg: > > > > Denied a call to modify_ldt() from a.out[1736] (uid: 100). Adjust sysctl if this was not an exploit attempt. > > > > I personally think it completes well your series, hence the 4/3 numbering. > > Feel free to adopt it if you cycle another round and if you're OK with it > > of course. > > > > CCing Kees as well. > > This patch looks reasonable, but I'd prefer a tri-state (enable, > disable, hard-disable). That was my first goal initially until I realized that the current two options make it possible to also get rid of X86_16BIT as Andy did. I don't see how to do this with the 3-state mode. > I do something like this for Yama's ptrace > zero to max_scope range (which "pins" to max_scope if set): > > http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/security/yama/yama_lsm.c#n361 I agree with this and initially I intended to do something approximately like this when I realized that for this specific case it didn't match the pattern. In fact here we have the opportunity to completely remove support for LDT changes, not just the modify_ldt() syscall. Then it makes sense to have the two options here. Regards, Willy