Re: [RFC PATCH v2 6/6] x86/entry/pti: don't switch PGD on when pti_disable is set

From: Willy Tarreau
Date: Fri Jan 12 2018 - 17:01:26 EST

Next message: David Rientjes: "Re: [PATCH v13 0/7] cgroup-aware OOM killer"
Previous message: Laurence Oberman: "Re: [PATCHSET v5] blk-mq: reimplement timeout handling"
In reply to: Andy Lutomirski: "Re: [RFC PATCH v2 6/6] x86/entry/pti: don't switch PGD on when pti_disable is set"
Next in thread: Willy Tarreau: "Re: [RFC PATCH v2 6/6] x86/entry/pti: don't switch PGD on when pti_disable is set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jan 12, 2018 at 01:18:06PM -0800, Andy Lutomirski wrote:
> FWIW, if we take this approach, then either dropping the capability should
> turn PTI back on or we need to deal with the corner case of PTI off and
> capability not present. The latter is a bit awkward but not necessarily a
> show stopper. I think that all we need to do is to update the ptrace rules
> and maybe make PTI turn back on when we execve. At least there's no need to
> muck around with LSM hooks.

That's my point as well, just the same principle as the "NEXT" prctl : only
perform changes on execve(). At least we're sure to deal with something
consistent and it's the right moment for deciding on _PAGE_NX.

Willy

Next message: David Rientjes: "Re: [PATCH v13 0/7] cgroup-aware OOM killer"
Previous message: Laurence Oberman: "Re: [PATCHSET v5] blk-mq: reimplement timeout handling"
In reply to: Andy Lutomirski: "Re: [RFC PATCH v2 6/6] x86/entry/pti: don't switch PGD on when pti_disable is set"
Next in thread: Willy Tarreau: "Re: [RFC PATCH v2 6/6] x86/entry/pti: don't switch PGD on when pti_disable is set"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]