From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1763181AbbA3UVM (ORCPT ); Fri, 30 Jan 2015 15:21:12 -0500 Received: from mail-ie0-f174.google.com ([209.85.223.174]:39641 "EHLO mail-ie0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754610AbbA3UVH (ORCPT ); Fri, 30 Jan 2015 15:21:07 -0500 Message-ID: <54CBE793.4020008@gmail.com> Date: Fri, 30 Jan 2015 15:20:35 -0500 From: Austin S Hemmelgarn User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Casey Schaufler , josh@joshtriplett.org CC: paulmck@linux.vnet.ibm.com, Iulia Manda , gnomes@lxorguk.ukuu.org.uk, serge.hallyn@canonical.com, linux-kernel@vger.kernel.org, akpm@linux-foundation.org, peterz@infradead.org, mhocko@suse.cz, LSM Subject: Re: [PATCH v2] kernel: Conditionally support non-root users, groups and capabilities References: <20150129184311.GA6404@winterfell> <54CAC5EE.8060107@schaufler-ca.com> <20150130003228.GJ19109@linux.vnet.ibm.com> <54CADDA4.4040602@schaufler-ca.com> <20150130013600.GM19109@linux.vnet.ibm.com> <54CAEB93.5090508@schaufler-ca.com> <20150130191302.GA19744@cloud> <54CBDFF4.1070503@schaufler-ca.com> In-Reply-To: <54CBDFF4.1070503@schaufler-ca.com> x-hashcash: 1:21:150130:casey@schaufler-ca.com::a6be2b9f76abb9f916f57bedeeefadaa:6e2280b8b7a06654 x-hashcash: 1:21:150130:josh@joshtriplett.org::5637c265a37306782413017a839bd6e:e57db7ead2414b57 x-hashcash: 1:21:150130:paulmck@linux.vnet.ibm.com::eff30dcc99da49498698c31bafd5fc4b:79b030fba6063ae5 x-hashcash: 1:21:150130:iulia.manda21@gmail.com::879a4cfec56c776febc1565b36ee2c50:bc7251b0ec6acd4d x-hashcash: 1:21:150130:gnomes@lxorguk.ukuu.org.uk::10ae873214087342366463ca3008d3da:dcc8bd3e533c24ea x-hashcash: 1:21:150130:serge.hallyn@canonical.com::283c202e1160d167d6c3890b64749478:9ad465142f31872a x-hashcash: 1:21:150130:linux-kernel@vger.kernel.org::74e302ba2d404d58d22afde5f4bfcd3e:65e86a74f9cde813 x-hashcash: 1:21:150130:akpm@linux-foundation.org::2238ab5e454e984a2627a2b8cb483d95:44bc2b714ee47f4c x-hashcash: 1:21:150130:peterz@infradead.org::c0886c5a853c6fed450d822ea3b344d8:3f3137adf53cf6f0 x-hashcash: 1:21:150130:mhocko@suse.cz::11448d69cb09cb38f039986ae853354e:76fbf1d119dc9ad2 x-hashcash: 1:21:150130:linux-security-module@vger.kernel.org::f8f3e76dd55fd28a223cbf6d56d1c275:5720f9d22ac60035 x-stampprotocols: hashcash:1:17;mbound:0:10:3000:5000 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms080209010904030100080004" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This is a cryptographically signed message in MIME format. --------------ms080209010904030100080004 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: quoted-printable On 2015-01-30 14:48, Casey Schaufler wrote: > On 1/30/2015 11:13 AM, josh@joshtriplett.org wrote: >> On Thu, Jan 29, 2015 at 06:25:23PM -0800, Casey Schaufler wrote: >>> On 1/29/2015 5:36 PM, Paul E. McKenney wrote: >>>> A few K here, a few K there, and pretty soon you actually fit into t= he >>>> small-memory 32-bit SoCs. I do not believe that the processing time= >>>> is the issue. >>> And UNIX, with UID and GID processing, used to run in 64K of RAM, >>> without swap or paging. Bluntly, there are many other places to look >>> before you go here. >> And we're looking in all those places too. Each patch is worth >> evaluating independently. We've *already* gone here, the code is >> written (and being revised based on feedback), and "go work over there= >> out of my backyard" is not going to work. One of these days, we're >> going to run in 64k again. > > Oh good heavens. Don't take this personally. I don't. > >>>>> As for LSMs, I can easily see putting in the security model from th= e old >>>>> RTOS on top of a NON_ROOT configuration. Won't that be fun when the= CVEs >>>>> start to fly? >> The security model is "there's one process on this system". (Expect >> patches for CONFIG_FORK=3Dn and CONFIG_EXEC=3Dn at some point.) > > Ok. Why not use Bada? > >>>>> Do you think you'll be running system services like systemd on top = of this? >>>>> Anyone *else* remember what happened when they put capability handl= ing into >>>>> sendmail? >>>> Nope, I don't expect these systems to be using LSM, systemd, or send= mail. >>>> I think that many of these will instead run the application directly= >>>> out of the init process. >>> Where an "application" might be something like CrossWalk, >> No, not a chance. If you're running a web runtime, you're on a much >> larger system, and you're going to be less concerned about shaving >> kilobytes; you're also going to want many of the kernel facilities for= >> sandboxing code. >> >> The kinds of applications we're talking about here run entirely in one= >> binary, serving a few very narrow functions. We're not talking >> "automobile IVI system" here; we're talking "two buttons and an output= ", >> or "a few sensors and an SD card". > > Linux is an insane choice for such a system. Why would you > even consider it? > Because there are weird people out there who want to do embedded=20 development in Python, and insane people out there who want to do it in=20 Perl, and people who want to do real-time stuff but can't for some=20 reason learn to use something sensible for that like RTEMS or FreeRTOS. Also, Linux isn't as crazy as some other choices. Many ATM's and cash=20 registers (at least in the US) run Windows with all of the software=20 running with administrator privileges , and I've seen my fair share of=20 minimalistic systems running DOS. While Linux may not be the _best_=20 choice for such use cases, it by far is not the worst. --------------ms080209010904030100080004 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFuDCC BbQwggOcoAMCAQICAw9gVDANBgkqhkiG9w0BAQ0FADB5MRAwDgYDVQQKEwdSb290IENBMR4w HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xNDA4 MDgxMTMwNDRaFw0xNTAyMDQxMTMwNDRaMGMxGDAWBgNVBAMTD0NBY2VydCBXb1QgVXNlcjEj MCEGCSqGSIb3DQEJARYUYWhmZXJyb2luN0BnbWFpbC5jb20xIjAgBgkqhkiG9w0BCQEWE2Fo ZW1tZWxnQG9oaW9ndC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdmm8R BM5D6fGiB6rpogPZbLYu6CkU6834rcJepfmxKnLarYUYM593/VGygfaaHAyuc8qLaRA3u1M0 Qp29flqmhv1VDTBZ+zFu6JgHjTDniBii1KOZRo0qV3jC5NvaS8KUM67+eQBjm29LhBWVi3+e a8jLxmogFXV0NGej+GHIr5zA9qKz2WJOEoGh0EfqZ2MQTmozcGI43/oqIYhRj8fRMkWXLUAF WsLzPQMpK19hD8fqwlxQWhBV8gsGRG54K5pyaQsjne7m89SF5M8JkNJPH39tHEvfv2Vhf7EM Y4WGyhLAULSlym1AI1uUHR1FfJaj3AChaEJZli/AdajYsqc7AgMBAAGjggFZMIIBVTAMBgNV HRMBAf8EAjAAMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUg Zm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzAOBgNVHQ8BAf8E BAMCA6gwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgorBgEEAYI3CgMEBgorBgEE AYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8v b2NzcC5jYWNlcnQub3JnMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwuY2FjZXJ0Lm9y Zy9yZXZva2UuY3JsMDQGA1UdEQQtMCuBFGFoZmVycm9pbjdAZ21haWwuY29tgRNhaGVtbWVs Z0BvaGlvZ3QuY29tMA0GCSqGSIb3DQEBDQUAA4ICAQCr4klxcZU/PDRBpUtlb+d6JXl2dfto OUP/6g19dpx6Ekt2pV1eujpIj5whh5KlCSPUgtHZI7BcksLSczQbxNDvRu6LNKqGJGvcp99k cWL1Z6BsgtvxWKkOmy1vB+2aPfDiQQiMCCLAqXwHiNDZhSkwmGsJ7KHMWgF/dRVDnsl6aOQZ jAcBMpUZxzA/bv4nY2PylVdqJWp9N7x86TF9sda1zRZiyUwy83eFTDNzefYPtc4MLppcaD4g Wt8U6T2ffQfCWVzDirhg4WmDH3MybDItjkSB2/+pgGOS4lgtEBMHzAGQqQ+5PojTHRyqu9Jc O59oIGrTaOtKV9nDeDtzNaQZgygJItJi9GoAl68AmIHxpS1rZUNV6X8ydFrEweFdRTVWhUEL 70Cnx84YBojXv01LYBSZaq18K8cERPLaIrUD2go+2ffjdE9ejvYDhNBllY+ufvRizIjQA1uC OdktVAN6auQob94kOOsWpoMSrzHHvOvVW/kbokmKzaLtcs9+nJoL+vPi2AyzbaoQASVZYOGW pE3daA0F5FJfcPZKCwd5wdnmT3dU1IRUxa5vMmgjP20lkfP8tCPtvZv2mmI2Nw5SaXNY4gVu WQrvkV2in+TnGqgEIwUrLVbx9G6PSYZZs07czhO+Q1iVuKdAwjL/AYK0Us9v50acIzbl5CWw ZGj3wjGCA6EwggOdAgEBMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6 Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEh MB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMPYFQwCQYFKw4DAhoFAKCCAfUw GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTUwMTMwMjAyMDM1 WjAjBgkqhkiG9w0BCQQxFgQUCQXv7NuQdW9HMcCTLP/qGJdUmyAwbAYJKoZIhvcNAQkPMV8w XTALBglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIA gDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBkQYJKwYBBAGCNxAE MYGDMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0 Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ ARYSc3VwcG9ydEBjYWNlcnQub3JnAgMPYFQwgZMGCyqGSIb3DQEJEAILMYGDoIGAMHkxEDAO BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UE AxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBj YWNlcnQub3JnAgMPYFQwDQYJKoZIhvcNAQEBBQAEggEABSdRB+PUyV29hIPo0mp69VDKcUQM FEOZZyEVamGtl+m3oyNA3lmgM+3nOakRl67C2gP6KyHcbZgpZvTs/Qw5tQFUTTX68k1+Of4M v0iXjwq1LPDUP0INAHPKh/GP2BmSMsiSf2+YLC1KHA2kyM4w96R9My9cpnPmZWZQSnVk/XCJ gYkp6mqybHiX8tQ8l+npunTcvyJy7VZJleZ3+ij470Gt09D8OoCTDF/+dAw9hY4X+vLzLFcD NYzaCgKGCucIib9GzyKpyBgl2S84mlueH2GfZgK2KltlLoNeQZ5SHGpPUJPRahTMndX6GerT bHfaMFTXoV3RC0cN5UmsNlvHGQAAAAAAAA== --------------ms080209010904030100080004--