Date: Fri, 28 Sep 2018 17:40:52 +0000 From: "Schaufler, Casey" <casey.schaufler@...el.com> To: James Morris <jmorris@...ei.org>, Jann Horn <jannh@...gle.com> CC: Casey Schaufler <casey@...aufler-ca.com>, "kristen@...ux.intel.com" <kristen@...ux.intel.com>, Kernel Hardening <kernel-hardening@...ts.openwall.com>, "Dock, Deneen T" <deneen.t.dock@...el.com>, kernel list <linux-kernel@...r.kernel.org>, "Hansen, Dave" <dave.hansen@...el.com>, linux-security-module <linux-security-module@...r.kernel.org>, "selinux@...ho.nsa.gov" <selinux@...ho.nsa.gov>, Arjan van de Ven <arjan@...ux.intel.com> Subject: RE: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel > -----Original Message----- > From: James Morris [mailto:jmorris@...ei.org] > Sent: Friday, September 28, 2018 9:33 AM > To: Jann Horn <jannh@...gle.com> > Cc: Schaufler, Casey <casey.schaufler@...el.com>; Casey Schaufler > <casey@...aufler-ca.com>; kristen@...ux.intel.com; Kernel Hardening > <kernel-hardening@...ts.openwall.com>; Dock, Deneen T > <deneen.t.dock@...el.com>; kernel list <linux-kernel@...r.kernel.org>; > Hansen, Dave <dave.hansen@...el.com>; linux-security-module <linux-security- > module@...r.kernel.org>; selinux@...ho.nsa.gov; Arjan van de Ven > <arjan@...ux.intel.com> > Subject: Re: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel > > On Fri, 28 Sep 2018, Jann Horn wrote: > > > > so with this hard-coded logic, you are saying this case is > > > 'safe' in a sidechannel context. > > > > > > Which hints at the deeper issue that containers are a userland > > > abstraction. Protection of containers needs to be defined by userland > > > policy. > > > > Or just compare mount namespaces additionally/instead. I think that > > containers will always use those, because AFAIK nobody uses chroot() > > for containers, given that the kernel makes absolutely no security > > guarantees about chroot(). > > We can't define this in the kernel. It has no concept of containers. > > People utilize some combination of namespaces and cgroups and call them > containers, There is an amazing variety of things called containers out there. I cite them as a use case, not a requirement. > but we can't make assumptions from the kernel on what any of > this means from a security point of view, and hard-code kernel policy > based on those assumptions. We can assume that namespaces are being used as a separation mechanism. That makes processes in different namespaces potentially vulnerable to side-channel attacks. That's true regardless of whether or not someone is using namespaces to implement containers. > This is violating the principal of separating mechanism and policy, and > also imposing semantics across the kernel/user boundary. The latter > creates an ABI which we can then never break. The effects of the sidechannel security module are not API visible. The potential impact is on performance. This implementation of PTRACE_MODE_SCHED does not change what happens, but may affect when it happens. It is intended to aid in optimizing the use of expensive anti-side-channel countermeasures.
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.