From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1763000AbbA3TsK (ORCPT ); Fri, 30 Jan 2015 14:48:10 -0500 Received: from smtp105.biz.mail.bf1.yahoo.com ([98.139.221.43]:44907 "EHLO smtp105.biz.mail.bf1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755365AbbA3TsH (ORCPT ); Fri, 30 Jan 2015 14:48:07 -0500 X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: DUos1kIVM1n0R11A1.vFPkaMZ7ak9_2Zzc4eGrr6SP6pNx1 QHTpHTthUJEC0YWCGY4y9fEpuNEMSxzynW1n1E9hepW7coXqGyqiW0ypGYBB XYRWArJY3nqgjzLiFmYDuKJ9rX8iFXgVnTnEH0YOs8kwJa3ogSUoW1ZAI2uT OJ2EJRLoeDwtSlQNYeHNzczeDVYTKOqtD97vEV8IZaEJ5dU9j0Rux69RSBUX uwZpdQnuhPB8UtlD5v_JknERCjJI8GTXvQvTIVLeiju7MS4BQk16ywiCmx9. O5YILQ.fNlZqfyXtR.k0GGDif.jGyfXCC_ge17nRiDlrDDx07nhPfyG2SpRL DBSPja.BE872o8vARNygYuCgE0SgMlPOozJ4Ou1iGs1dauBu937eoD.MJ168 c_lEyP_859HO6ZMBmq19k5XraeM2rKYtnwFNXyMDlqpEZmbuuTCPxk_a9PvA Su2BHlL3M08J88sRduKQ_xXp3FS_dGYkKHolpsPkRIf6FvBKEbVqQnuAt6lC d6B3H8MPtnk0h9BXxH5gik4SD2Yk6yUMcO0uygfxBpj4DJTl8MDrW_Lo- X-Yahoo-SMTP: OIJXglSswBDfgLtXluJ6wiAYv6_cnw-- Message-ID: <54CBDFF4.1070503@schaufler-ca.com> Date: Fri, 30 Jan 2015 11:48:04 -0800 From: Casey Schaufler User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: josh@joshtriplett.org CC: paulmck@linux.vnet.ibm.com, Iulia Manda , gnomes@lxorguk.ukuu.org.uk, serge.hallyn@canonical.com, linux-kernel@vger.kernel.org, akpm@linux-foundation.org, peterz@infradead.org, mhocko@suse.cz, LSM , Casey Schaufler Subject: Re: [PATCH v2] kernel: Conditionally support non-root users, groups and capabilities References: <20150129184311.GA6404@winterfell> <54CAC5EE.8060107@schaufler-ca.com> <20150130003228.GJ19109@linux.vnet.ibm.com> <54CADDA4.4040602@schaufler-ca.com> <20150130013600.GM19109@linux.vnet.ibm.com> <54CAEB93.5090508@schaufler-ca.com> <20150130191302.GA19744@cloud> In-Reply-To: <20150130191302.GA19744@cloud> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 1/30/2015 11:13 AM, josh@joshtriplett.org wrote: > On Thu, Jan 29, 2015 at 06:25:23PM -0800, Casey Schaufler wrote: >> On 1/29/2015 5:36 PM, Paul E. McKenney wrote: >>> A few K here, a few K there, and pretty soon you actually fit into the >>> small-memory 32-bit SoCs. I do not believe that the processing time >>> is the issue. >> And UNIX, with UID and GID processing, used to run in 64K of RAM, >> without swap or paging. Bluntly, there are many other places to look >> before you go here. > And we're looking in all those places too. Each patch is worth > evaluating independently. We've *already* gone here, the code is > written (and being revised based on feedback), and "go work over there > out of my backyard" is not going to work. One of these days, we're > going to run in 64k again. Oh good heavens. Don't take this personally. I don't. >>>> As for LSMs, I can easily see putting in the security model from the old >>>> RTOS on top of a NON_ROOT configuration. Won't that be fun when the CVEs >>>> start to fly? > The security model is "there's one process on this system". (Expect > patches for CONFIG_FORK=n and CONFIG_EXEC=n at some point.) Ok. Why not use Bada? >>>> Do you think you'll be running system services like systemd on top of this? >>>> Anyone *else* remember what happened when they put capability handling into >>>> sendmail? >>> Nope, I don't expect these systems to be using LSM, systemd, or sendmail. >>> I think that many of these will instead run the application directly >>> out of the init process. >> Where an "application" might be something like CrossWalk, > No, not a chance. If you're running a web runtime, you're on a much > larger system, and you're going to be less concerned about shaving > kilobytes; you're also going to want many of the kernel facilities for > sandboxing code. > > The kinds of applications we're talking about here run entirely in one > binary, serving a few very narrow functions. We're not talking > "automobile IVI system" here; we're talking "two buttons and an output", > or "a few sensors and an SD card". Linux is an insane choice for such a system. Why would you even consider it? > > - Josh Triplett >