excluding processes from PTI

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

excluding processes from PTI

Tycho Nightingale-2

In D15100, which I just put on Phabricator, it's possible for processes to be excluded from PTI.  What is not in D15100 is policy, nor implementation of a policy, to select which processes are excluded from PTI.

A trivial implementation of a policy would be something like this:

@@ -2656,6 +2657,7 @@
 int
 pmap_pinit_type(pmap_t pmap, enum pmap_type pm_type, int flags)
 {
+ struct ucred *cred = curthread->td_ucred;
  vm_page_t pml4pg, pml4pgu;
  vm_paddr_t pml4phys;
  int i;
@@ -2689,7 +2691,7 @@
  if (pm_type == PT_X86) {
  pmap->pm_cr3 = pml4phys;
  pmap_pinit_pml4(pml4pg);
- if (pti) {
+ if (pti && (jailed(cred) || cred->cr_ruid != 0)) {
  pml4pgu = vm_page_alloc(NULL, 0, VM_ALLOC_NORMAL |
     VM_ALLOC_NOOBJ | VM_ALLOC_WIRED | VM_ALLOC_WAITOK);
  pmap->pm_pml4u = (pml4_entry_t *)PHYS_TO_DMAP(

which excludes those processes running as superuser and are not in-jail.

Another approach, suggested by kib, is to provide finer-grained control.  Perhaps using procctl(2) instead.

I'm curious to solicit some feedback on this.

Thanks!

Tycho
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: excluding processes from PTI

Ed Schouten-6
Hi Tycho,

2018-04-16 21:33 GMT+02:00 Tycho Nightingale <[hidden email]>:
> -               if (pti) {
> +               if (pti && (jailed(cred) || cred->cr_ruid != 0)) {
>
> which excludes those processes running as superuser and are not in-jail.
>
> Another approach, suggested by kib, is to provide finer-grained control.  Perhaps using procctl(2) instead.

Maybe it's sufficient to just use priv_check() here?

--
Ed Schouten <[hidden email]>
Nuxi, 's-Hertogenbosch, the Netherlands
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"