From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Eric Paris <eparis@redhat.com>
Cc: Arjan van de Ven <arjan@infradead.org>,
James Morris <jmorris@namei.org>,
linux-kernel@vger.kernel.org, sds@tycho.nsa.gov,
morgan@kernel.org, selinux@tycho.nsa.gov
Subject: Re: [PATCH] capability: WARN when invalid capability is requested rather than BUG/panic
Date: Wed, 1 Oct 2008 10:44:58 -0500 [thread overview]
Message-ID: <20081001154458.GA13889@us.ibm.com> (raw)
In-Reply-To: <1222875160.28251.133.camel@localhost.localdomain>
Quoting Eric Paris (eparis@redhat.com):
> On Tue, 2008-09-30 at 10:28 -0700, Arjan van de Ven wrote:
> > On Tue, 30 Sep 2008 13:22:30 -0400
> > Eric Paris <eparis@redhat.com> wrote:
> > >
> > > No argument from me that patching up for buggy drivers sucks. Yours
> > > would be less overhead, and it would return the cap system back to
> > > pre-2.6.25 operation (garbage in garbage out but no panic). Since we
> > > already have the branch in SELinux its no 'extra' overhead to EPERM
> > > there instead of here (garbage in EPERM out).
> >
> > to be honest, this is really a case of
> > panic("This stuff is really borken")
> >
> > if it passes some random value, what other api's does it pass a random
> > value to ?
> >
> > (and in addition, random values to security critical APIs deserve a
> > process kill, because it could well be an exploit attempt at guessing
> > something. At least by not letting it live it's harder to get such type
> > of exploits to be able to guess things. So imo, BUG() is the right
> > answer)
>
> Do we have any concern of a module being compiled against a new kernel
> say with cap number 35 defined and then loaded into a kernel with only
> 34 capabilities? Do we care about that forward compatibility? If we
> care BUG is scary. EPERM would be the right thing since clearly on this
> kernel the process can't possibly have cap #35.
>
> We really have 4 options (in the order I like them).
>
> 1) do nothing (garbage in garbage out, sometimes panic sometimes not)
> 2) mask CAP_TO_INDEX (garbage in garbage out, no panic)
> 3) BUG_ON(!cap_valid(flag)) (garbage in BUG out, no panic)
> 4) WARN_ON/EPERM (garbage in EPERM out, no panic)
>
> SELinux already sorta does #3 and #4 (we will panic if cap > 64 and will
> EPERM between the max cap and 64) but I really don't like being blamed
> when it's not my fault. SELinux takes enough crap when people's systems
> don't work and this time its clearly not my fault, which is why I'm
> pushing this.
:)
> If we believe the capability system should take path's 1, 2, or 4 I'm
> going to take path 4 in SELinux. If capabilities wants to take path 3,
> I'm ok with that too. Its going to break a lot of people's machines I'm
> afraid, but it would force ATI to fix their crap....
Assuming you have a kernel with your patch for 4, could you just run
some perf tests vs the unpatched kernel to show there's really no
meaningful performance impact?
-serge
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Eric Paris <eparis@redhat.com>
Cc: Arjan van de Ven <arjan@infradead.org>,
James Morris <jmorris@namei.org>,
linux-kernel@vger.kernel.org, sds@tycho.nsa.gov,
morgan@kernel.org, selinux@tycho.nsa.gov
Subject: Re: [PATCH] capability: WARN when invalid capability is requested rather than BUG/panic
Date: Wed, 1 Oct 2008 10:44:58 -0500 [thread overview]
Message-ID: <20081001154458.GA13889@us.ibm.com> (raw)
In-Reply-To: <1222875160.28251.133.camel@localhost.localdomain>
Quoting Eric Paris (eparis@redhat.com):
> On Tue, 2008-09-30 at 10:28 -0700, Arjan van de Ven wrote:
> > On Tue, 30 Sep 2008 13:22:30 -0400
> > Eric Paris <eparis@redhat.com> wrote:
> > >
> > > No argument from me that patching up for buggy drivers sucks. Yours
> > > would be less overhead, and it would return the cap system back to
> > > pre-2.6.25 operation (garbage in garbage out but no panic). Since we
> > > already have the branch in SELinux its no 'extra' overhead to EPERM
> > > there instead of here (garbage in EPERM out).
> >
> > to be honest, this is really a case of
> > panic("This stuff is really borken")
> >
> > if it passes some random value, what other api's does it pass a random
> > value to ?
> >
> > (and in addition, random values to security critical APIs deserve a
> > process kill, because it could well be an exploit attempt at guessing
> > something. At least by not letting it live it's harder to get such type
> > of exploits to be able to guess things. So imo, BUG() is the right
> > answer)
>
> Do we have any concern of a module being compiled against a new kernel
> say with cap number 35 defined and then loaded into a kernel with only
> 34 capabilities? Do we care about that forward compatibility? If we
> care BUG is scary. EPERM would be the right thing since clearly on this
> kernel the process can't possibly have cap #35.
>
> We really have 4 options (in the order I like them).
>
> 1) do nothing (garbage in garbage out, sometimes panic sometimes not)
> 2) mask CAP_TO_INDEX (garbage in garbage out, no panic)
> 3) BUG_ON(!cap_valid(flag)) (garbage in BUG out, no panic)
> 4) WARN_ON/EPERM (garbage in EPERM out, no panic)
>
> SELinux already sorta does #3 and #4 (we will panic if cap > 64 and will
> EPERM between the max cap and 64) but I really don't like being blamed
> when it's not my fault. SELinux takes enough crap when people's systems
> don't work and this time its clearly not my fault, which is why I'm
> pushing this.
:)
> If we believe the capability system should take path's 1, 2, or 4 I'm
> going to take path 4 in SELinux. If capabilities wants to take path 3,
> I'm ok with that too. Its going to break a lot of people's machines I'm
> afraid, but it would force ATI to fix their crap....
Assuming you have a kernel with your patch for 4, could you just run
some perf tests vs the unpatched kernel to show there's really no
meaningful performance impact?
-serge
next prev parent reply other threads:[~2008-10-01 15:44 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-30 13:55 [PATCH] capability: WARN when invalid capability is requested rather than BUG/panic Eric Paris
2008-09-30 13:55 ` Eric Paris
2008-09-30 14:23 ` James Morris
2008-09-30 14:23 ` James Morris
2008-09-30 14:36 ` Eric Paris
2008-09-30 14:36 ` Eric Paris
2008-09-30 15:38 ` Serge E. Hallyn
2008-09-30 15:38 ` Serge E. Hallyn
2008-09-30 16:07 ` Eric Paris
2008-09-30 16:07 ` Eric Paris
2008-09-30 16:28 ` Serge E. Hallyn
2008-09-30 16:28 ` Serge E. Hallyn
2008-09-30 17:22 ` Eric Paris
2008-09-30 17:22 ` Eric Paris
2008-09-30 17:28 ` Arjan van de Ven
2008-10-01 15:32 ` Eric Paris
2008-10-01 15:32 ` Eric Paris
2008-10-01 15:39 ` Arjan van de Ven
2008-10-01 15:44 ` Serge E. Hallyn [this message]
2008-10-01 15:44 ` Serge E. Hallyn
2008-10-05 1:30 ` Andrew G. Morgan
2008-10-05 1:30 ` Andrew G. Morgan
[not found] <bhO5y-S0-29@gated-at.bofh.it>
[not found] ` <bhOyr-1kZ-5@gated-at.bofh.it>
[not found] ` <bhOyr-1kZ-3@gated-at.bofh.it>
[not found] ` <bhPuC-2yN-5@gated-at.bofh.it>
[not found] ` <bhPXy-3jl-13@gated-at.bofh.it>
[not found] ` <bhQh0-3CK-9@gated-at.bofh.it>
[not found] ` <bhRd4-4RS-9@gated-at.bofh.it>
[not found] ` <bhRd8-4RS-27@gated-at.bofh.it>
[not found] ` <bibY4-6WP-13@gated-at.bofh.it>
2008-10-01 19:36 ` Bodo Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081001154458.GA13889@us.ibm.com \
--to=serue@us.ibm.com \
--cc=arjan@infradead.org \
--cc=eparis@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=morgan@kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.