From: "Serge E. Hallyn" <serge@hallyn.com>
To: Kees Cook <keescook@chromium.org>
Cc: John Stultz <john.stultz@linaro.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Andrew Morton <akpm@linux-foundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
Arjan van de Ven <arjan@linux.intel.com>,
lkml <linux-kernel@vger.kernel.org>,
Oren Laadan <orenl@cellrox.com>,
Ruchi Kandoi <kandoiruchi@google.com>,
Rom Lemarchand <romlem@android.com>,
Android Kernel Team <kernel-team@android.com>,
Todd Kjos <tkjos@google.com>, Colin Cross <ccross@android.com>,
Nick Kralevich <nnk@google.com>,
Dmitry Shmidt <dimitrysh@google.com>,
Elliott Hughes <enh@google.com>
Subject: Re: [PATCH 2/2] proc: Add /proc/<pid>/timerslack_ns interface
Date: Thu, 14 Jul 2016 12:49:18 -0500 [thread overview]
Message-ID: <20160714174918.GA3302@mail.hallyn.com> (raw)
In-Reply-To: <CAGXu5jLtwanTYJeFSw1GjPTfd=k1LXv0bkCP3y0A57_xjj92yQ@mail.gmail.com>
Quoting Kees Cook (keescook@chromium.org):
> On Thu, Jul 14, 2016 at 9:09 AM, John Stultz <john.stultz@linaro.org> wrote:
> > On Thu, Jul 14, 2016 at 5:48 AM, Serge E. Hallyn <serge@hallyn.com> wrote:
> >> Quoting Kees Cook (keescook@chromium.org):
> >>> I think the original CAP_SYS_NICE should be fine. A malicious
> >>> CAP_SYS_NICE process can do plenty of insane things, I don't feel like
> >>> the timer slack adds to any realistic risks.
> >>
> >> Can someone give a detailed explanation of what you could do with
> >> the new timerslack feature and compare it to what you can do with
> >> sys_nice?
> >
> > Looking at the man page for CAP_SYS_NICE, it looks like such a task
> > can set a task as SCHED_FIFO, so they could fork some spinning
> > processes and set them all SCHED_FIFO 99, in effect delaying all other
> > tasks for an infinite amount of time.
> >
> > So one might argue setting large timerslack vlaues isn't that
> > different risk wise?
>
> Right -- you can hose a system with CAP_SYS_NICE already; I don't
> think timerslack realistically changes that.
Thanks - so it seems to me if we go with CAP_SYS_NICE we are giving
those who can already hose the system another vector to doing so. But
if we require CAP_SYS_PTRACE then we are giving those who can newly hose
the system also the ability to subvert any task. It sounds like
CAP_SYS_NICE is the winner.
Kees, you said adding a capability is hard - can you expound on that?
next prev parent reply other threads:[~2016-07-14 17:49 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-17 1:06 [PATCH 0/2] Extend timer_slack_ns to u64 on 32bit systems & add /proc/<pid>/timerslack_ns John Stultz
2016-02-17 1:06 ` [PATCH 1/2] timer: Convert timer_slack_ns from unsigned long to u64 John Stultz
2016-02-17 1:06 ` [PATCH 2/2] proc: Add /proc/<pid>/timerslack_ns interface John Stultz
2016-02-17 19:35 ` Andrew Morton
2016-02-17 20:09 ` Kees Cook
2016-02-17 20:18 ` Andrew Morton
2016-02-17 20:51 ` John Stultz
2016-02-17 21:07 ` Andrew Morton
2016-02-17 22:29 ` John Stultz
2016-02-17 22:45 ` Kees Cook
2016-02-17 22:51 ` John Stultz
2016-02-17 22:53 ` Andrew Morton
2016-02-17 20:49 ` John Stultz
2016-02-18 5:59 ` [PATCH] proc: /proc/<pid>/timerslack_ns permissions fixes John Stultz
2016-02-18 17:52 ` Kees Cook
2016-07-13 23:47 ` [PATCH 2/2] proc: Add /proc/<pid>/timerslack_ns interface John Stultz
2016-07-14 3:39 ` Kees Cook
2016-07-14 5:29 ` Arjan van de Ven
2016-07-14 12:48 ` Serge E. Hallyn
2016-07-14 13:42 ` Arjan van de Ven
2016-07-14 16:01 ` John Stultz
2016-07-14 16:09 ` John Stultz
2016-07-14 17:45 ` Kees Cook
2016-07-14 17:48 ` Arjan van de Ven
2016-07-14 17:49 ` Serge E. Hallyn [this message]
2016-07-14 17:56 ` Kees Cook
2016-07-14 20:21 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160714174918.GA3302@mail.hallyn.com \
--to=serge@hallyn.com \
--cc=akpm@linux-foundation.org \
--cc=arjan@linux.intel.com \
--cc=ccross@android.com \
--cc=dimitrysh@google.com \
--cc=enh@google.com \
--cc=john.stultz@linaro.org \
--cc=kandoiruchi@google.com \
--cc=keescook@chromium.org \
--cc=kernel-team@android.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nnk@google.com \
--cc=orenl@cellrox.com \
--cc=romlem@android.com \
--cc=tglx@linutronix.de \
--cc=tkjos@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).