Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754605AbbDMTdu (ORCPT <rfc822;w@1wt.eu>);
	Mon, 13 Apr 2015 15:33:50 -0400
Received: from out01.mta.xmission.com ([166.70.13.231]:59766 "EHLO
	out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751511AbbDMTdr (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 13 Apr 2015 15:33:47 -0400
From: ebiederm@xmission.com (Eric W. Biederman)
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Arnd Bergmann <arnd@arndb.de>, gnomes@lxorguk.ukuu.org.uk, teg@jklm.no,
        jkosina@suse.cz, luto@amacapital.net, linux-kernel@vger.kernel.org,
        daniel@zonque.org, dh.herrmann@gmail.com, tixxdz@opendz.org
References: <20150413190350.GA9485@kroah.com>
Date: Mon, 13 Apr 2015 14:29:35 -0500
In-Reply-To: <20150413190350.GA9485@kroah.com> (Greg Kroah-Hartman's message
	of "Mon, 13 Apr 2015 21:03:50 +0200")
Message-ID: <8738434yjk.fsf@x220.int.ebiederm.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-AID: U2FsdGVkX1/s7wt9Ca1LKueAfXSzVecanyDBu3s/py0=
X-SA-Exim-Connect-IP: 97.119.22.70
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
	*  0.0 TVD_RCVD_IP Message was received from an IP address
	*  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
	*  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
	*      [score: 0.5000]
	* -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
	*      [sa06 1397; Body=1 Fuz1=1 Fuz2=1]
	*  1.2 XMSubMetaSxObfu_03 Obfuscated Sexy Noun-People
	*  0.5 XM_Body_Dirty_Words Contains a dirty word
	*  1.0 T_XMDrugObfuBody_08 obfuscated drug references
	*  0.0 T_TooManySym_01 4+ unique symbols in subject
	*  1.0 XMSubMetaSx_00 1+ Sexy Words
	*  1.0 XMSexyCombo_01 Sexy words in both body/subject
X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ****;Greg Kroah-Hartman <gregkh@linuxfoundation.org>
X-Spam-Relay-Country: 
X-Spam-Timing: total 468 ms - load_scoreonly_sql: 0.16 (0.0%),
	signal_user_changed: 4.7 (1.0%), b_tie_ro: 3.1 (0.7%), parse: 1.34 (0.3%),
	extract_message_metadata: 18 (3.9%), get_uri_detail_list: 3.5 (0.8%),
	tests_pri_-1000: 9 (1.9%), tests_pri_-950: 1.47 (0.3%), tests_pri_-900: 1.23
	(0.3%), tests_pri_-400: 33 (7.1%), check_bayes: 32 (6.8%), b_tokenize: 10
	(2.1%), b_tok_get_all: 12 (2.5%), b_comp_prob: 3.7 (0.8%), b_tok_touch_all:
	3.7 (0.8%), b_finish: 0.68 (0.1%), tests_pri_0: 389 (83.0%), tests_pri_500: 6
	(1.4%), rewrite_mail: 0.00 (0.0%)
Subject: Re: [GIT PULL] kdbus for 4.1-rc1
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 4944
Lines: 110

Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:

> The following changes since commit 9eccca0843205f87c00404b663188b88eb248051:
>
>   Linux 4.0-rc3 (2015-03-08 16:09:09 -0700)
>
> are available in the git repository at:
>
>   git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git/ tags/kdbus-4.1-rc1
>
> for you to fetch changes up to 9fb9cd0f4434a23487b6ef3237e733afae90e336:
>
>   kdbus: avoid the use of struct timespec (2015-04-10 14:34:53 +0200)
>
> ----------------------------------------------------------------
> kdbus for 4.1-rc1
>
> Here's the kdbus pull request for 4.1-rc1.
>
> It's been under development for many years now, and been in linux-next
> for many months, and has undergone loads of testing a review and even a few
> good arguments.  It comes with full documentation and tests.

> There has been a few complaints about the code, notably from people who
> don't like the use of metadata in the bus messages.  That is actually
> one of the main features here, as we can get this data in a secure and
> reliable way, and it's something that userspace requires today.  So
> while it does look "odd" to people who are not familiar with dbus, this
> is something that finally fixes a number of almost unfixable races in
> the current dbus implementations.

And the code that transfers the meta-data is wrong.

It is generally not something that userspace requires today, certainly
userspace is not using it.

You are exporting a weird set of information in a unique way that makes
it race free enough to make ``security'' decisions upon but the data
in general is not appropriate to make those decisions.

I remain opposed to this half thought out trash of an ABI for the
meta-data.

Just because something happens to be exported in a DEBUG api today does
not make it appropriate for userspace to run around making security
decisions with that information.

Nacked-by: "Eric W. Biederman" <ebiederm@xmission.com>

I think it is premature to be merging kdbus.  You have fuddamental
issues that can not be fixed once the ABI is frozen.

The semantics of the meta-data you export are extremely poorly defined.

> The rest of this pull request message comes from the kdbus patch posting
> messages as sent to lkml previously:
>
> Reasons kdbus should be in the kernel, instead of userspace as it is
> currently done today includes the following:
>
>  * Performance: Fewer process context switches, fewer copies, fewer
>    syscalls, larger memory chunks via memfd.  This is really important
>    for a whole class of userspace programs that are ported from other
>    operating systems that are run on tiny ARM systems that rely on
>    hundreds of thousands of messages passed at boot time, and at
>    "critical" times in their user interaction loops. DBus is not used
>    for performance sensitive applications because DBus is slow.
>    We want to make it fast so we can finally use it for low-latency,
>    high-throughput applications. A simple DBus method-call+reply takes
>    200us on an up-to-date test machine, with kdbus it takes 8us (with
>    UDS about 2us). If the packet size is increased from 8k to 128k,
>    kdbus even beats UDS due to single-copy transfers.

And with a good design kdbus could be faster.

>  * Security: The peers which communicate do not have to trust each
>    other, as the only trustworthy component in the game is the kernel
>    which adds metadata and ensures that all data passed as payload is
>    either copied or sealed, so that the receiver can parse the data
>    without having to protect against changing memory while parsing
>    buffers. Also, all the data transfer is controlled by the kernel,
>    so that LSMs can track and control what is going on, without
>    involving userspace. Because of the LSM issue, security people are
>    much happier with this model than the current scheme of having to
>    hook into dbus to mediate things.
>  * More types of metadata can be attached to messages than in
>    userspace

The meta-data is poorly thought and and much of it is not appropriate
for making security decisions anywhere except in the kernel.

All I have seen with the meta-data discussion is sticking heads in the
sand and resubmitting and hoping your reviewers go away.

If you won't do a good responsible job on this before the code is merged
how can we possibly expect you to do a good job later.  Or is this going
to be another API where userspace will be broken at arbitrary moments by
arbitrary users?

How are you going to fix the security issues your poor API comes with it
when then are eventually spelled out clearly and to fix them means
breaking everyones desktop environment?

Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/