Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755503AbaKEP4f (ORCPT ); Wed, 5 Nov 2014 10:56:35 -0500 Received: from mail-la0-f54.google.com ([209.85.215.54]:63535 "EHLO mail-la0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754590AbaKEP4c (ORCPT ); Wed, 5 Nov 2014 10:56:32 -0500 MIME-Version: 1.0 From: Andy Lutomirski Date: Wed, 5 Nov 2014 07:56:08 -0800 Message-ID: Subject: Early comments on kdbus v2 (Re: [PATCH 00/12] Add kdbus implementation) To: Daniel Mack Cc: Greg Kroah-Hartman , Linux API , "linux-kernel@vger.kernel.org" , John Stultz , Arnd Bergmann , Tejun Heo , Marcel Holtmann , Ryan Lortie , Bastien Nocera , David Herrmann , Djalal Harouni , Simon McVittie , "alban.crequy" , Javier Martinez Canillas , Tom Gundersen Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 5, 2014 at 6:34 AM, Daniel Mack wrote: > On 10/29/2014 11:19 PM, Andy Lutomirski wrote: >> I think that each piece of trustable metadata needs to be explicitly >> opted-in to by the sender at the time of capture. Otherwise you're >> asking for lots of information leaks and privilege escalations. This >> is especially important given that some of the items in the current >> list could be rather sensitive. > > Alright, the above seems to pretty much sum up that end of our > discussion. To address this, We've now added the following functionality > for v2: > > * The attach_flags in kdbus_cmd_hello was split into two parts, > attach_flags_send and attach_flags_recv, so each peer may chose what > exactly it want to transmit or receive. > > * Metadata will only be attached to the final message in the > receiver's pool if both the sender's attach_flags_send and the > receiver's attach_flags_recv bit are set. > > * Consequently, the existing KDBUS_ITEM_ATTACH_FLAGS item type is > split into KDBUS_ITEM_ATTACH_FLAGS_SEND and > KDBUS_ITEM_ATTACH_FLAGS_RECV, so that both connection details can be > separately updated through KDBUS_CMD_CONN_UPDATE. > > * To allow for use cases that require certain metadata to be attached > on each message, we've added a negotiation mechanism to the HELLO > ioctl: An optional metadata mask can be passed during the creation > of buses, so bus owners may require certain bits in > attach_flags_send to be set. That way, the creator of the bus will > specify which metadata is required to fulfill the requirements of > the specification of the role of the bus. > > Thanks! Here are some early thoughts based on reading what I think is the v2 documentation online. My general impression is that the semantics of and use cases for passing fds around (including through execve) are not well thought out. I think that the kdbus designers need to decide whether kdbus fds will ever be passed between processes (via execve, SCM_RIGHTS, or kdbus). If yes, there are several issues: The docs for metadata and namespaces suggest that passing fds between namespaces turns off metadata. I don't want to reopen this particular discussion until Eric is back, and I don't think that the code matches the docs, but to me this suggests that no one has really considered how this case is supposed to behave. I think that KDBUS_MESSAGE_SEND needs to specify metadata items to send. Otherwise you'll introduce security problems the first time you ever have a process that accepts a kdbus fd from a process that it should not fully trust. (Note that this is not just my overly paranoid imagination. I've found real security bugs in netlink and procfs based on this. And SCM_CREDENTIALS is broken for similar reasons.) Also, the userspace libraries will need to be rather careful about setting those bits. I don't see a mechanism to prevent resource exhaustion issues in which many fds are recursively shoved into kdbus. (You still may need to address this to some extent if you disallow the transfer of kdbus fds, but it's probably easier to handle.) If no: KDBUS_MESSAGE_SEND should not send metadata items at all, because they will never be interesting. What privilege do you need to create a custom endpoint? What privilege do you need to set its policy? Why do custom endpoints have names at all? Metadata: Please justify each and every metadata with an actual use case or remove it. The justification should include an explanation of why the same thing can't be achieved with policy. Off the top of my head: - KDBUS_ATTACH_TIMESTAMP is fine. - KDBUS_ATTACH_CREDS should be just uid and gid - I tend to think that pid and tid should be separate. They're really their own thing, and, as noted in all the perfectly valid dislike directed at SO_PEERCRED, they have extremely limited value. - starttime should have a justification or be removed. - KDBUS_ATTACH_AUXGROUPS: I'm not sure what to think about this. I feel like it's only useful for implementing strange types of policies. - KDBUS_ATTACH_COMM, KDBUS_ATTACH_CMDLINE, and KDBUS_ATTACH_EXE: Just remove them. There is no point whatsoever in having the kernel try to validate comm and cmdline, and exe is barely better [1]. You realize that there's this thing called PR_SET_NAME, right? Removing these may benefit your arguments about the whole metadata mechanism, too -- these three items are wonderful straw men to poke at, because any concept of trusting them is absurd even ignoring the framework in which they're used. But you can't tell people to shut up and stop attacking straw men, because you've actually proposed these particular straw men. :) - KDBUS_ATTACH_CGROUP: This sounds legitimately useful. - KDBUS_ATTACH_SECLABEL: The docs talk about selinux. What does this even mean on a non-selinux system? I tend to think that this shouldn't exist as a metadata item and that all selinux integration should go through the LSM hooks. Otherwise we'll end up with two separate selinux policy databases -- the normal one and whatever dbus tries to do, and the result will be even more unwieldy than the current state of affairs. Also, turning off selinux enforcing mode really ought to continue turning it all the way off, and I don't think that dbus should be allowed to interfere with that. - KDBUS_ATTACH_AUDIT: Please define what an audit label is. I'm serious: audit doesn't have a great track record for interface stability. Please consider disallowing anyone without CAP_AUDIT_CONTROL from *receiving* this item. (Also, the docs here are full of typos.) Are caps missing from this list? I swear they're in the code but not in either version of the docs... If they're still in the code, I really don't like it. The Linux capability system sucks, and to avoid having that suckage spread, those bits should IMO not gain any new powers like this. One of the great things about polkit and dbus is that you don't *need* caps to ask system software to do things for you. This means that you can, for example, have the ability to ask for a graceful reboot but not to call reboot(2). This is a good thing, and actually using caps as a metadata item risks undoing that. (Also, keep in mind that actually granting caps to uid != 0 processes is a royal PITA, and every attempt to fix it gets shot down. Furthermore, since I fully expect Eric to eventually nak you hard enough that you get kdbus namespacing to work well, I think you'll find that namespacing caps will be even less pleasant that the rest of it.) [1] I say that exe is barely better than comm because of two factors. The first is ptrace. The second is that, if you fix namespacing, you'll have a high probability of getting mostly-attacker-controlled garbage out of it. (It will be 100% garbage, and attackers will have lots of influence on that garbage.) --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/