From: josh@joshtriplett.org
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: Iulia Manda <iulia.manda21@gmail.com>,
gnomes@lxorguk.ukuu.org.uk, serge.hallyn@canonical.com,
linux-kernel@vger.kernel.org, akpm@linux-foundation.org,
paulmck@linux.vnet.ibm.com, peterz@infradead.org, mhocko@suse.cz,
LSM <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v2] kernel: Conditionally support non-root users, groups and capabilities
Date: Thu, 29 Jan 2015 16:43:25 -0800 [thread overview]
Message-ID: <20150130004325.GA14757@cloud> (raw)
In-Reply-To: <54CAC5EE.8060107@schaufler-ca.com>
On Thu, Jan 29, 2015 at 03:44:46PM -0800, Casey Schaufler wrote:
> On 1/29/2015 10:43 AM, Iulia Manda wrote:
> > There are a lot of embedded systems that run most or all of their functionality
> > in init, running as root:root. For these systems, supporting multiple users is
> > not necessary.
> >
> > This patch adds a new symbol, CONFIG_NON_ROOT, that makes support for non-root
> > users, non-root groups, and capabilities optional.
> >
> > When this symbol is not defined, UID and GID are zero in any possible case
> > and processes always have all capabilities.
> >
> > The following syscalls are compiled out: setuid, setregid, setgid,
> > setreuid, setresuid, getresuid, setresgid, getresgid, setgroups, getgroups,
> > setfsuid, setfsgid, capget, capset.
> >
> > Also, groups.c is compiled out completely.
> >
> > This change saves about 25 KB on a defconfig build.
> >
> > The kernel was booted in Qemu. All the common functionalities work. Adding
> > users/groups is not possible, failing with -ENOSYS.
> >
> > Bloat-o-meter output:
> > add/remove: 7/87 grow/shrink: 19/397 up/down: 1675/-26325 (-24650)
> >
> > Signed-off-by: Iulia Manda <iulia.manda21@gmail.com>
> > Reviewed-by: Josh Triplett <josh@joshtriplett.org>
>
> v2 does nothing to address the longstanding position of
> the community that disabling the traditional user based
> access controls is unacceptable.
So far that "longstanding position" consists of you griping that we're
not implementing authoritative LSM hooks for you and re-fighting that
battle for you. Patches for authoritative LSM hooks did indeed get
refused long ago, which is an excellent reason for us to not recast this
patch to reimplement them that way.
If it does turn out that the security maintainers in the kernel are open
to the idea of authoritative LSM hooks, by all means I would encourage
you to revisit such hooks. But there's a significant difference between
"add the ability to disable access controls" and "add a framework that
allows replacing the user/group security model with arbitrary access
controls", and it's not at all obvious that the "right" solution for the
former is an implementation of the latter; it also seems entirely
plausible that the kernel community remains opposed to the latter, which
does not necessarily rule out the former.
Given that, it would be helpful to hear feedback from more of the
community.
> Speaking of the LSM, what is your expectation regarding the
> use of security modules in addition to "NON_ROOT"? Is it
> forbidden, allowed or encouraged?
I would expect that any security module would need to depend on NON_ROOT
(or MULTIUSER as v3 may end up calling it, per Geert Uytterhoeven's
suggestion). A kernel configuration with this option turned off
intentionally does not *have* user/group access controls. The intent of
this option isn't "turn standard access controls off so they get out of
the way of non-standard access controls"; the intent is "turn all access
controls off because there will never be unprivileged processes on this
system".
So, on that basis, it sounds like v3 should add a dependency from
SECURITY to MULTIUSER.
- Josh Triplett
next prev parent reply other threads:[~2015-01-30 0:43 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-29 18:43 [PATCH v2] kernel: Conditionally support non-root users, groups and capabilities Iulia Manda
2015-01-29 18:59 ` Geert Uytterhoeven
2015-01-29 20:01 ` josh
2015-01-29 20:16 ` Geert Uytterhoeven
2015-01-29 23:44 ` Casey Schaufler
2015-01-30 0:32 ` Paul E. McKenney
2015-01-30 1:25 ` Casey Schaufler
2015-01-30 1:36 ` Paul E. McKenney
2015-01-30 2:25 ` Casey Schaufler
2015-01-30 7:07 ` Paul E. McKenney
2015-01-30 19:13 ` josh
2015-01-30 19:48 ` Casey Schaufler
2015-01-30 20:20 ` Austin S Hemmelgarn
2015-01-30 21:40 ` Josh Triplett
2015-01-30 21:56 ` Richard Weinberger
2015-01-31 23:30 ` Paul E. McKenney
2015-01-31 23:33 ` Richard Weinberger
2015-02-01 19:45 ` Paul E. McKenney
2015-01-31 17:00 ` Jarkko Sakkinen
2015-01-30 0:43 ` josh [this message]
2015-01-30 2:05 ` Casey Schaufler
2015-01-30 21:04 ` Josh Triplett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150130004325.GA14757@cloud \
--to=josh@joshtriplett.org \
--cc=akpm@linux-foundation.org \
--cc=casey@schaufler-ca.com \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=iulia.manda21@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mhocko@suse.cz \
--cc=paulmck@linux.vnet.ibm.com \
--cc=peterz@infradead.org \
--cc=serge.hallyn@canonical.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox