From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on sa.local.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-4.3 required=5.0 tests=ALL_TRUSTED,BAYES_00, RP_MATCHES_RCVD autolearn=unavailable autolearn_force=no version=3.4.1 Date: Mon, 6 Jun 2022 13:20:40 +0400 From: Alexey Sheplyakov To: ALT Linux kernel packages development Message-ID: References: <20220602003100.524482-1-vt@altlinux.org> <20220602163914.GB11775@altlinux.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: Re: [d-kernel] [PATCH] UBUNTU: SAUCE: security, perf: Allow further restriction of perf_event_open X-BeenThere: devel-kernel@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux kernel packages development List-Id: ALT Linux kernel packages development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jun 2022 09:20:49 -0000 Archived-At: List-Archive: List-Post: Hi, On Sun, Jun 05, 2022 at 04:04:56PM +0300, Vladimir D. Seleznev wrote: > > People who actually need security > > > > 1) don't use out-of-order CPUs (to avoid Meltdown, Spectre, etc) > > 2) don't use Linux (so the kernel can be actually audited) > > 3) don't exist > > I don't get the point of these. If we don't need security why should we > bother with user/group processes/filesystems separation and permissions, > chrooting, etc. We have a superuser, lets everything run with it! 1. In a way we already do (on desktop systems). All applications run with the same uid and have the same permissions. Nothing prevents firefox from sending my private GPG key to $BIG_BROTHER, or removing all files (in $HOME), etc. 2. If you keep restricting the basic system functionality (profiling, namespaces, etc) to root only eventually people will be forced to run everything as root to get a usable system. > 1) There are some tricks to significantly reducing impact of > Spectre-like vulnerabilities, like disabling HT, separate processes to > run on different trust-level CPU core, KPTI, etc. > 2) The kernel constantly reviewed, sure it is not an audit but some part > are well reviewed, especially in general parts. I'll just leave this here: https://lkml.org/lkml/2021/4/21/454 > I think it is worth reducing the attack surface. There are a vast number of (privilege escalation) attacks which make use of symlinks. Let's disable symlinks (for ordinary users). And provide a magic knob (without any documentation) to re-enable them. > There were known vulnerabilities in the perf kernel subsystem that > allowed to escalate privileges, There were known vulnerabilities in all kernel subsystem. Including core ones, like mm (proofs: [1], [2], [3]). What about disabling CoW, vmsplice, and other "insecure" stuff? [1] https://lwn.net/Articles/849638 [2] https://lwn.net/Articles/704231 [3] https://lwn.net/Articles/268783 > and profiling is not a common task. Incorrect. Just because you don't care doesn't mean it's "not common". > I don't see why switching the knob is a big problem. The knob itself is not a big deal. The problem is the default value, which prevents ordinary users from profiling their processes. Best regards, Alexey