From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751380AbcGNRtW (ORCPT <rfc822;w@1wt.eu>);
	Thu, 14 Jul 2016 13:49:22 -0400
Received: from h2.hallyn.com ([78.46.35.8]:59542 "EHLO h2.hallyn.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751051AbcGNRtU (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Thu, 14 Jul 2016 13:49:20 -0400
Date: Thu, 14 Jul 2016 12:49:18 -0500
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Kees Cook <keescook@chromium.org>
Cc: John Stultz <john.stultz@linaro.org>, "Serge E. Hallyn" <serge@hallyn.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Arjan van de Ven <arjan@linux.intel.com>,
        lkml <linux-kernel@vger.kernel.org>, Oren Laadan <orenl@cellrox.com>,
        Ruchi Kandoi <kandoiruchi@google.com>,
        Rom Lemarchand <romlem@android.com>,
        Android Kernel Team <kernel-team@android.com>,
        Todd Kjos <tkjos@google.com>, Colin Cross <ccross@android.com>,
        Nick Kralevich <nnk@google.com>, Dmitry Shmidt <dimitrysh@google.com>,
        Elliott Hughes <enh@google.com>
Subject: Re: [PATCH 2/2] proc: Add /proc/<pid>/timerslack_ns interface
Message-ID: <20160714174918.GA3302@mail.hallyn.com>
References: <1455671191-32105-1-git-send-email-john.stultz@linaro.org>
 <1455671191-32105-3-git-send-email-john.stultz@linaro.org>
 <CALAqxLUsJ8Aph76mJ9xZWry56xvL8wKy+HVbgh=NQ-fimFUtJg@mail.gmail.com>
 <CAGXu5jJwAVdKBKUgWgGvwoHn8p7bNWMVK8+BNqmaE+Q7TrT1rA@mail.gmail.com>
 <20160714124806.GB31333@mail.hallyn.com>
 <CALAqxLWb6LaLro-dCYF1Upm1=4Dag1JfrmsxrjWhc6x-keGzkg@mail.gmail.com>
 <CAGXu5jLtwanTYJeFSw1GjPTfd=k1LXv0bkCP3y0A57_xjj92yQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAGXu5jLtwanTYJeFSw1GjPTfd=k1LXv0bkCP3y0A57_xjj92yQ@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Quoting Kees Cook (keescook@chromium.org):
> On Thu, Jul 14, 2016 at 9:09 AM, John Stultz <john.stultz@linaro.org> wrote:
> > On Thu, Jul 14, 2016 at 5:48 AM, Serge E. Hallyn <serge@hallyn.com> wrote:
> >> Quoting Kees Cook (keescook@chromium.org):
> >>> I think the original CAP_SYS_NICE should be fine. A malicious
> >>> CAP_SYS_NICE process can do plenty of insane things, I don't feel like
> >>> the timer slack adds to any realistic risks.
> >>
> >> Can someone give a detailed explanation of what you could do with
> >> the new timerslack feature and compare it to what you can do with
> >> sys_nice?
> >
> > Looking at the man page for CAP_SYS_NICE, it looks like such a task
> > can set a task as SCHED_FIFO, so they could fork some spinning
> > processes and set them all SCHED_FIFO 99, in effect delaying all other
> > tasks for an infinite amount of time.
> >
> > So one might argue setting large timerslack vlaues isn't that
> > different risk wise?
> 
> Right -- you can hose a system with CAP_SYS_NICE already; I don't
> think timerslack realistically changes that.

Thanks - so it seems to me if we go with CAP_SYS_NICE we are giving
those who can already hose the system another vector to doing so.  But
if we require CAP_SYS_PTRACE then we are giving those who can newly hose
the system also the ability to subvert any task.  It sounds like
CAP_SYS_NICE is the winner.

Kees, you said adding a capability is hard - can you expound on that?