From owner-freebsd-security@freebsd.org  Wed Nov 20 03:06:26 2019
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 480F01C5A7B
 for <freebsd-security@mailman.nyi.freebsd.org>;
 Wed, 20 Nov 2019 03:06:26 +0000 (UTC)
 (envelope-from dewaynegeraghty@gmail.com)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com
 [IPv6:2a00:1450:4864:20::42e])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 47Hnds3bJsz4FS7
 for <freebsd-security@freebsd.org>; Wed, 20 Nov 2019 03:06:25 +0000 (UTC)
 (envelope-from dewaynegeraghty@gmail.com)
Received: by mail-wr1-x42e.google.com with SMTP id e6so26364652wrw.1
 for <freebsd-security@freebsd.org>; Tue, 19 Nov 2019 19:06:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:from:date:message-id:subject:to;
 bh=9osWUDuhNDIGtpxGSdLb7qJc+a0DSICvNvrg8xoER4Q=;
 b=K8iQNGKBidIdBRCAHTX1u93OsyZIzcLy0zzBqgUVLxBNstnYsCbfdMEWI8FQ2vXZZE
 lffeQBkMhi0yvUjyXgmZ7LelB7g8pkdU0HuouUqM3LtmeK+HiRx4WmeXjTH8yUTyZzYp
 YLLj210gaez0slOnJPiGwCPoia5M8pwCGshSsH1Yxw9iIXcC3xhiYygM5KMCrD2iQjbX
 48FFB7mVBSKvPB78trufJcY44j/Zy6a2RMfa7KMyCkebjrBvoWDIdGH+feBT3CHUxXHU
 Mx0vmiokCTFjl027gYj/APQE9meyjAnML73XJqS91ViQm7hiMSgv8yzsg84S7+ZGq2s4
 +gkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=9osWUDuhNDIGtpxGSdLb7qJc+a0DSICvNvrg8xoER4Q=;
 b=I/QtznhfpUJ0oUbx3OjFxzwBPRhhFcifWWwgLSawnts8DpYiByxqjTZ1Ke3VhjwHhH
 yGwRRQY5qcZGYDrl0olLEbMzDwe2ocF+tQkmV9r10L4iMH+yNrt/ve3q/QgdMp6NYwRn
 W1+RDJNwrJQSOCaydRYzYBpPKuKQIjetzDOpWMyT2fiqjsrLY9PJOrgi/JnK70iA04Gv
 9kQudNShgL1FeLHmDHgzQX523U8W3PJqJ/qafyvrKgj3p+QYnAn1aAZ7Log3BJjMLgls
 OwxCkxfrvHCcMKJOK/BTqe57k14r/WhvoXzBxzONyq95Ig4VpoJS1r+jjXyeV8mm7WTg
 PwFw==
X-Gm-Message-State: APjAAAXVcnwu4kIq0Lsh73wdkfi6t5/ps8KrUzfbkpg+2g926giKZLdH
 O8Dj593y6r0hfjPBdkSX2zKSn5EZTEDrou5is3pXmMdKAsk=
X-Google-Smtp-Source: APXvYqw5yTqpL+JkD3uptHQ31HMyRMLTHFDw6+Q/l/rDqbq/J59uaMuX6UtlEQjGcjuzeUePWrJtgnRLy5Y0ru5d3Ik=
X-Received: by 2002:adf:f504:: with SMTP id q4mr336642wro.160.1574219182581;
 Tue, 19 Nov 2019 19:06:22 -0800 (PST)
MIME-Version: 1.0
From: Dewayne Geraghty <dewaynegeraghty@gmail.com>
Date: Wed, 20 Nov 2019 14:05:54 +1100
Message-ID: <CAGnMC6qbqB0x_dzwdgFvdU1kgGJza2rdHOfj3D1-ULjkZdicOQ@mail.gmail.com>
Subject: Jails with securelevel 3 still need retpoline?
To: freebsd-security@freebsd.org
X-Rspamd-Queue-Id: 47Hnds3bJsz4FS7
X-Spamd-Bar: -
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gmail.com header.s=20161025 header.b=K8iQNGKB;
 dmarc=pass (policy=none) header.from=gmail.com;
 spf=pass (mx1.freebsd.org: domain of dewaynegeraghty@gmail.com designates
 2a00:1450:4864:20::42e as permitted sender)
 smtp.mailfrom=dewaynegeraghty@gmail.com
X-Spamd-Result: default: False [-2.00 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36];
 FREEMAIL_FROM(0.00)[gmail.com];
 MIME_GOOD(-0.10)[multipart/alternative,text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
 TO_DN_NONE(0.00)[]; RCVD_COUNT_TWO(0.00)[2];
 RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 IP_SCORE_FREEMAIL(0.00)[];
 IP_SCORE(0.00)[ip: (-8.95), ipnet: 2a00:1450::/32(-2.72), asn: 15169(-1.97),
 country: US(-0.05)]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 DKIM_TRACE(0.00)[gmail.com:+];
 DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
 RCVD_IN_DNSWL_NONE(0.00)[e.2.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org
 : 127.0.5.0]; FROM_EQ_ENVFROM(0.00)[];
 SUBJECT_ENDS_QUESTION(1.00)[];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US];
 MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_ALL(0.00)[];
 DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0]
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.29
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2019 03:06:26 -0000

I want to have a secure platform, but would not like to degrade performance
(amd64 based systems)

If everything that a user touches is in a jail (sendmail, dovecot, squid,
httpd, ...), and each jail is running at secure level 3 AND there are no
/dev/mem nor /dev/kmem devices accessible within the jail, do I still need
to mitigate unauthorised access in src.conf, prior to a build, using
WITH_RETPOLINE & WITH_KERNEL_RETPOLINE?

Part of the reason for concern is when I jexec into j1,
j1# tty
/dev/pts/8
even though there is no pts node under /dev.
j1# ls /dev/
crypto  fd      null    random  stderr  stdin   stdout  urandom zero

root is further restricted as I'm also running (most) applications with
unpriviledged identities (eg www) where I'm leveraging
security.mac.portacl.rules.

This has been on my mind for sometime, but now a decision is needed, so any
advise welcome :)