From: Josh Triplett <josh@joshtriplett.org>
To: David Drysdale <drysdale@google.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>,
Linux API <linux-api@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Arnd Bergmann <arnd@arndb.de>,
Shuah Khan <shuahkh@osg.samsung.com>,
Jonathan Corbet <corbet@lwn.net>,
Eric B Munson <emunson@akamai.com>,
Randy Dunlap <rdunlap@infradead.org>,
Andrea Arcangeli <aarcange@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
Oleg Nesterov <oleg@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Andy Lutomirski <luto@amacapital.net>,
Al Viro <viro@zeniv.linux.org.uk>,
Rusty Russell <rusty@rustcorp.com.au>,
Peter Zijlstra <peterz@infradead.org>,
Vivek Goyal <vgoyal@redhat.com>,
Alexei Starovoitov <ast@plumgrid.com>,
David Herrmann <dh.herrmann@gmail.com>,
Theodore Ts'o <tytso@mit.edu>,
Kees
Subject: Re: [PATCHv2 1/1] Documentation: describe how to add a system call
Date: Fri, 31 Jul 2015 06:06:21 -0700 [thread overview]
Message-ID: <20150731130620.GA16435@x> (raw)
In-Reply-To: <CAHse=S-jtynT-1Pk8+JMd98wViao-bJh3K8TtGKPk7RXWgy=rg@mail.gmail.com>
On Fri, Jul 31, 2015 at 10:48:32AM +0100, David Drysdale wrote:
> On Thu, Jul 30, 2015 at 7:50 PM, Josh Triplett <josh@joshtriplett.org> wrote:
> > On Thu, Jul 30, 2015 at 08:52:11AM +0100, David Drysdale wrote:
> >> Add a document describing the process of adding a new system call,
> >> including the need for a flags argument for future compatibility, and
> >> covering 32-bit/64-bit concerns (albeit in an x86-centric way).
> >>
> >> Signed-off-by: David Drysdale <drysdale@google.com>
> >> Reviewed-by: Michael Kerrisk <mtk.manpages@gmail.com>
> >> Reviewed-by: Eric B Munson <emunson@akamai.com>
> >> Reviewed-by: Kees Cook <keescook@chromium.org>
> >> Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
> >
> > A few comments below. I also agree with Ingo's comment about
> > documenting the param-structure approach in addition to flags.
>
> Many thanks for looking through the doc in detail!
>
> I'll send out an updated doc today; I'm then on vacation for the next
> week so I'll collate further feedback after I return.
Thanks for the quick response and for incorporating these changes.
> > Some things to add a this point, before talking about adding a new file
> > descriptor:
> >
> > If you want to provide userspace with a handle to a kernel object, do so
> > in the form of a file descriptor. Do not invent a new type of userspace
> > object handle with its own namespace. The kernel already has numerous
> > system calls and well-defined semantics for managing and passing around
> > file descriptors, as well as for cleaning up when the file descriptor is
> > no longer in use.
> >
> > If your new system call returns a file descriptor, think about what it
> > means to use the poll(2) family of syscalls on that file descriptor. If
> > you want to send an event to userspace associated with your kernel
> > object, you should do so by making your file descriptor ready for
> > reading or writing.
>
> Good points, I've added a couple of paragraphs along these lines:
>
> "
> If your new system call allows userspace to refer to a kernel object, it
> should use a file descriptor as the handle for that object -- don't invent a
> new type of userspace object handle when the kernel already has mechanisms and
> well-defined semantics for using file descriptors.
>
> [snip: existing text on CLOEXEC]
>
> If your system call returns a new file descriptor, you should also consider
> what it means to use the poll(2) family of system calls on that file
> descriptor. Making a file descriptor ready for reading or writing is the
> normal way for the kernel to indicate to userspace that an event has
> occurred on the corresponding kernel object.
> "
These look good to me.
> >> +needs to be governed by the appropriate Linux capability bit (checked with a
> >> +call to capable()), as described in the capabilities(7) man page.
> >> +
> >> + - If there is an existing capability that governs related functionality, then
> >> + use that. However, avoid combining lots of only vaguely related functions
> >> + together under the same bit, as this goes against capabilities' purpose of
> >> + splitting the power of root. In particular, avoid adding new uses of the
> >> + already overly-general CAP_SYS_ADMIN capability.
> >> + - If there is no related capability, then consider adding a new capability
> >> + bit -- but bear in mind that the numbering space is limited, and each new
> >> + bit needs to be understood and administered by sysadmins.
> >
> > Many previous discussions on this topic seem to have concluded that it's
> > almost impossible to add a new capability without breaking existing
> > programs. I would suggest not even mentioning this possibility.
>
> I'm not particularly knowledgable about capabilities (at least, not the
> POSIX.1e/Linux kind), so I'll confess that I got this suggestion from
> Michael Kerrisk.
>
> Michael, do you agree that we should just drop the possibility of adding
> new capability bits?
>
> Also, Josh, do you have any references to the earlier discussions on the
> topic so I can update the Sources section?
No direct links handy at the moment without some searching, but one
iteration of it came up when Matthew Garrett suggested adding
CAP_COMPROMISE_KERNEL, and the ensuing discussion of capability
semantics suggested that the way the capability space was defined and
controlled by userspace meant that adding any new capability would
effectively break userspace ABI. The userspace ABI for capabilities is
not clear; some applications drop all possible capabilities and could
get surprised by a new capability being dropped, while other
applications drop only capabilities they know about and could get
surprised by a new capability *not* being dropped.
- Josh Triplett
next prev parent reply other threads:[~2015-07-31 13:06 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-30 7:52 [PATCHv2 0/1] Document how to add a new syscall David Drysdale
2015-07-30 7:52 ` [PATCHv2 1/1] Documentation: describe how to add a system call David Drysdale
2015-07-30 8:38 ` Ingo Molnar
[not found] ` <20150730083831.GA22182-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-07-30 11:10 ` David Drysdale
2015-07-30 18:21 ` Kees Cook
[not found] ` <CAGXu5j+5KHy68ELU6PmNWaj7mQBXTbRQGXqJFwsXHt9n0LPw8Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-07-30 19:04 ` Josh Triplett
2015-07-30 20:03 ` Kees Cook
2015-07-31 1:02 ` Josh Triplett
2015-07-31 1:03 ` Josh Triplett
2015-07-31 18:56 ` Kees Cook
2015-07-31 20:59 ` josh
2015-07-31 21:19 ` Andy Lutomirski
[not found] ` <CALCETrUkMXvFRKdTH7ekY7FyGvbKDDJbf7L0shgs5R-Hep6bVA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-07-31 22:08 ` josh-iaAMLnmF4UmaiuxdJuQwMA
2015-07-31 22:54 ` Andy Lutomirski
2015-08-01 4:32 ` Josh Triplett
2015-08-01 4:56 ` H. Peter Anvin
[not found] ` <55BC518E.4010102-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2015-08-01 6:18 ` Josh Triplett
2015-08-01 6:28 ` H. Peter Anvin
2015-07-30 18:22 ` Josh Triplett
2015-07-30 16:30 ` Cyril Hrubis
2015-07-30 16:45 ` Greg Kroah-Hartman
2015-07-30 18:50 ` Josh Triplett
2015-07-31 9:48 ` David Drysdale
2015-07-31 13:06 ` Josh Triplett [this message]
2015-07-31 14:42 ` David Drysdale
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150731130620.GA16435@x \
--to=josh@joshtriplett.org \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=ast@plumgrid.com \
--cc=corbet@lwn.net \
--cc=dh.herrmann@gmail.com \
--cc=drysdale@google.com \
--cc=emunson@akamai.com \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=linux-api@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mingo@redhat.com \
--cc=mtk.manpages@gmail.com \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=rdunlap@infradead.org \
--cc=rusty@rustcorp.com.au \
--cc=shuahkh@osg.samsung.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=vgoyal@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).