Re: [RFC] Input: implement sysrq as an input handler

[Henrique de Moraes Holschuh <hmh@hmh.eng.br>]

On Fri, 19 Mar 2010, Dmitry Torokhov wrote:
> On Fri, Mar 19, 2010 at 01:06:41PM -0300, Henrique de Moraes Holschuh wrote:
> > On Thu, 18 Mar 2010, Dmitry Torokhov wrote:
> > > On Thu, Mar 18, 2010 at 09:00:43PM -0300, Henrique de Moraes Holschuh wrote:
> > > > Any chance of the user being able to avoid the SysRQ events getting to the
> > > > handle, e.g. by opening the input device in exclusive mode or something like
> > > > that?
> > > 
> > > Yes, it is a possible to suppress SysRq by grabbing an input device.
> > > This possibility exisst with the current implementation too though -
> > > after all legacy keyboard driver implemented as an input handler as
> > > well.
> > > 
> > > ... or am I answering a question different from the one you asked? ;)
> > 
> > No, that's exactly what I wanted to know.
> > 
> > What about SAK?  That thing *has* to be untrappable.
> 
> On what level untrapable? And what exactly is SAK? There is not a
> special key, at least not in general case, it is an action assigned to a
> key comboi.  Root can "trap" legacy keyboard SAK with loadkeys; it can
> also disable sysrq, unload modules and do other nasty things. But
> ordinary users can not trap it.

root isn't really a problem from a security PoV (well, maybe it is if the
operation isn't constrained by capabilities).  SAK can't protect you from
root.

_Normal_ userspace behaviour running a root process is a problem if it
blocks these handles, though, both for SAK and regular SysRQ.  I have lost
count of how many times SysRQ+SUB delivered me from filesystem corruption
and very annoying problems, both at home and at work.

We are sort of trusting userspace to not break the one way out from severly
hung systems while doing its normal day-to-day operations (as opposed to
deliberately disabling SysRQ or remapping SAK, etc).

> > Even for the SysRQ debug events, I'd feel better if we could have a class of
> > system input handlers that cannot be suppressed to use for these things.
> 
> That would require moving "these things", including their state
> machines, into input core otherwise it would not know what events can be
> trappable and which should be passed through. Or we should get rid of
> EVIOCGRAB.

Maybe we can add a flags field to input devices and input handlers, to be
able to have the core behave differently when needed, without moving
everything into the input core?  Would that work, or would it need too much
churn in the core?

> Given the fact that event devices are accessible only to root I think
> that current behavior is acceptable.

I don't trust the class of programs that would want to open input devices as
root in exclusive mode.  Desktop fluff might decide to use EVIOCGRAB or open
input devices in exclusive mode for some reason, and break SysRQ.  I'd like
to preserve the hability of userspace to EVIOCGRAB if it feels there's a
need to, while preserving the kernel's hability to NEVER ignore SysRQ and
SAK while enabled.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh