> On Jan 12, 2018, at 12:22 PM, Ingo Molnar <[email protected]> wrote: > > > * Andy Lutomirski <[email protected]> wrote: > >>> Oh, and yes, I think the npti flag should also break ptrace(). I do agree >>> with >>> Andy that it's a "capability", although I do not think it should actually >>> be >>> implemented as one. >> >> For all that Linux capabilities are crap, nopti walks like one and quacks >> like >> one. It needs to affect ptrace() permissions, it needs a way to disable it >> systemwide, it needs LSM integration, etc. Using CAP_DISABLE_PTI gives us >> all >> of this without tons of churn, auditing, and a whole new configuration >> thingy >> for each LSM. And I avoids permanently polluting ptrace checks, the LSM >> interface, etc for what is, essentially, a performance hack to work around a >> blatant error in the design of some CPUs. >> >> Plus, with ambient caps, we already did the nasty part of the with and >> finished >> all the relevant bikeshedding. >> >> So I'd rather just hold my nose and add the new capability bit. > > Those all seem pretty valid arguments to me. > >
FWIW, if we take this approach, then either dropping the capability should turn PTI back on or we need to deal with the corner case of PTI off and capability not present. The latter is a bit awkward but not necessarily a show stopper. I think that all we need to do is to update the ptrace rules and maybe make PTI turn back on when we execve. At least there's no need to muck around with LSM hooks.
