From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gnomes@lxorguk.ukuu.org.uk>
X-Google-Smtp-Source: AH8x225dTW7BkNOaB+NJ8ZB5L2kyYWNtOvbK28isGO3wf3GUzICrBOShFuCSLZLDC+jiYf6KePYu
ARC-Seal: i=1; a=rsa-sha256; t=1516826821; cv=none;
        d=google.com; s=arc-20160816;
        b=pZFG2LW7WXm6unxidd8IzAcNpZYGPaGQacKmLwNa3qC2pcj8P7Gmr/0dbj+Bn5+Mbr
         zNbrFRilmUv2oVetTgCQXqPpC+1rJ2j6RSJuZ91Em5Smic9pfAU0F7NRSY9JxAjvQ5Wm
         rQThDGnocQenB6iNG7QN/TGGVU+z75EmTrtX17CG4SpeuzkEt1OAMclFvSreGxKLIeRA
         LlOTyJ1fA7hMK+fpeh3O9wzRj2cHX+q/6IxS+/oDvlSUjH5QBV+QTTZytZRkEtr5xEbC
         J9J1HeLZClUNg/tWZUOIkf7ZA0qjeYuoIoM5bwTY4toTTIIB2EACdVyQgJlHneh4gZj/
         4zPA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date
         :arc-authentication-results;
        bh=1kyYasVzCewqfgD2BIzyfY2P4xMs65tKNhfdrrNPqQc=;
        b=0ydTdS2+49IAQXAmGt3FNqu/u4LOBXbeL9W71QrKYYxCyWg9/L1apvapoSwuGeiO7L
         7T5A7ibKcKr52tPrrn3EGD7ntDBKtB09mvVDXGM1BdStwDpxhuMXo45mb+W4DkBGiWSw
         uQXTiVrFH8sg7BKQRjijcyJY+MhJRX6HkpzNPaRAetmbbEeIijIerHcGP37vjGPT0eXw
         0BD27xl2vna4QX06m5Oqq++ZjLoFIiRJWn7l6UuymOAi3MTtyjcp16d88IgMciwXBxQI
         SfEwokCer05OApInK+vJN2j16Zcoj0SAYC4fFGk0xA5NXBe43HZDtC05InmP8bToMMxX
         vaGQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of gnomes@lxorguk.ukuu.org.uk designates 82.70.14.225 as permitted sender) smtp.mailfrom=gnomes@lxorguk.ukuu.org.uk
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of gnomes@lxorguk.ukuu.org.uk designates 82.70.14.225 as permitted sender) smtp.mailfrom=gnomes@lxorguk.ukuu.org.uk
Date: Wed, 24 Jan 2018 20:46:22 +0000
From: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
To: Pavel Machek <pavel@ucw.cz>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>,
        Dominik Brodowski
 <linux@dominikbrodowski.net>,
        linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org,
        kvm@vger.kernel.org, Heiko Carstens
 <heiko.carstens@de.ibm.com>,
        Christian Borntraeger
 <borntraeger@de.ibm.com>,
        Paolo Bonzini <pbonzini@redhat.com>,
        Cornelia
 Huck <cohuck@redhat.com>,
        David Hildenbrand <david@redhat.com>,
        Greg
 Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jon Masters <jcm@redhat.com>, Marcus Meissner <meissner@suse.de>,
        Jiri Kosina <jkosina@suse.cz>, w@1wt.eu, keescook@chromium.org,
        thomas.lendacky@amd.com, dwmw@amazon.co.uk, ak@linux.intel.com
Subject: Re: Avoiding information leaks between users and between processes
 by default? [Was: : [PATCH 1/5] prctl: add PR_ISOLATE_BP process control]
Message-ID: <20180124204622.1f7b0de2@alans-desktop>
In-Reply-To: <20180124190105.GA30107@amd>
References: <1516712825-2917-1-git-send-email-schwidefsky@de.ibm.com>
	<1516712825-2917-2-git-send-email-schwidefsky@de.ibm.com>
	<20180123170719.GA4154@isilmar-4.linta.de>
	<20180124072953.50851fec@mschwideX1>
	<20180124083705.GA14868@light.dominikbrodowski.net>
	<20180124111552.GA24675@amd>
	<20180124134803.3e11c6d6@mschwideX1>
	<20180124190105.GA30107@amd>
Organization: Intel Corporation
X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.31; x86_64-redhat-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: =?utf-8?q?1590462291652474475?=
X-GMAIL-MSGID: =?utf-8?q?1590508201082981828?=
X-Mailing-List: linux-kernel@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>

> Anyway, no need to add prctl(), if A can ptrace B and B can ptrace A,
> leaking info between them should not be a big deal. You can probably
> find existing macros doing neccessary checks.

Until one of them is security managed so it shouldn't be able to ptrace
the other, or (and this is the nasty one) when a process is executing
code it wants to protect from the rest of the same process (eg an
untrusted jvm, javascript or probably nastiest of all webassembly)

We don't need a prctl for trusted/untrusted IMHO but we do eventually
need to think about API's for "this lot is me but I don't trust
it" (flatpack, docker, etc) and for what JIT engines need to do.

Alan