Re: [PATCH RFC 2/4] x86/arch_prctl: add ARCH_GET_NOPTI and ARCH_SET_NOPTI to enable/disable PTI

Mon, 08 Jan 2018 09:18:21 -0800 

* Thomas Gleixner <[email protected]> wrote:

> On Mon, 8 Jan 2018, Willy Tarreau wrote:
> > This allows to report the current state of the PTI protection and to
> > enable or disable it for the current task.
> > 
> > Signed-off-by: Willy Tarreau <[email protected]>
> > ---
> >  arch/x86/include/uapi/asm/prctl.h |  3 +++
> >  arch/x86/kernel/process_64.c      | 24 ++++++++++++++++++++++++
> >  2 files changed, 27 insertions(+)
> > 
> > diff --git a/arch/x86/include/uapi/asm/prctl.h 
> > b/arch/x86/include/uapi/asm/prctl.h
> > index 5a6aac9..1f1b5bc 100644
> > --- a/arch/x86/include/uapi/asm/prctl.h
> > +++ b/arch/x86/include/uapi/asm/prctl.h
> > @@ -10,6 +10,9 @@
> >  #define ARCH_GET_CPUID             0x1011
> >  #define ARCH_SET_CPUID             0x1012
> >  
> > +#define ARCH_GET_NOPTI             0x1021
> > +#define ARCH_SET_NOPTI             0x1022
> > +
> >  #define ARCH_MAP_VDSO_X32  0x2001
> >  #define ARCH_MAP_VDSO_32   0x2002
> >  #define ARCH_MAP_VDSO_64   0x2003
> > diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
> > index c754662..1686d3d 100644
> > --- a/arch/x86/kernel/process_64.c
> > +++ b/arch/x86/kernel/process_64.c
> > @@ -654,6 +654,30 @@ long do_arch_prctl_64(struct task_struct *task, int 
> > option, unsigned long arg2)
> >             ret = put_user(base, (unsigned long __user *)arg2);
> >             break;
> >     }
> > +   case ARCH_GET_NOPTI: {
> > +           unsigned long flag;
> > +
> > +           printk(KERN_DEBUG "get1: task=%p ti=%p fl=%16lx\n", task, 
> > task_thread_info(task), task_thread_info(task)->flags);
> > +           flag = !!(task_thread_info(task)->flags & _TIF_NOPTI);
> > +           ret = put_user(flag, (unsigned long __user *)arg2);
> > +           break;
> 
> Per task is really an odd choice. That should be per process I think, but
> that of course needs synchronization of some form. Aside of that we need to
> think about fork().

So per task (thread) is the most natural approach to low level asm flaggery.

Making it per thread also makes some sense conceptually: in a complex 
multi-threaded runtime implementation some threads might never execute
'untrusted' code, some might. No need to penalize the 'server' threads.

Not sure we want that complexity though, and while it _should_ work I think, 
mostly, there might be some unexpected implications.

Thanks,

        Ingo

Reply via email to