Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754627AbbDNAYB (ORCPT <rfc822;w@1wt.eu>);
	Mon, 13 Apr 2015 20:24:01 -0400
Received: from out01.mta.xmission.com ([166.70.13.231]:45546 "EHLO
	out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751646AbbDNAX7 (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 13 Apr 2015 20:23:59 -0400
From: ebiederm@xmission.com (Eric W. Biederman)
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Arnd Bergmann <arnd@arndb.de>, gnomes@lxorguk.ukuu.org.uk, teg@jklm.no,
        jkosina@suse.cz, luto@amacapital.net, linux-kernel@vger.kernel.org,
        daniel@zonque.org, dh.herrmann@gmail.com, tixxdz@opendz.org
References: <20150413190350.GA9485@kroah.com>
	<8738434yjk.fsf@x220.int.ebiederm.org>
Date: Mon, 13 Apr 2015 19:19:49 -0500
In-Reply-To: <8738434yjk.fsf@x220.int.ebiederm.org> (Eric W. Biederman's
	message of "Mon, 13 Apr 2015 14:29:35 -0500")
Message-ID: <87lhhv36je.fsf@x220.int.ebiederm.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-XM-AID: U2FsdGVkX18oBjzhqfaXtMMaonzt3pcP4+6uO8/MdD4=
X-SA-Exim-Connect-IP: 97.119.22.70
X-SA-Exim-Mail-From: ebiederm@xmission.com
X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
	*  0.0 TVD_RCVD_IP Message was received from an IP address
	*  0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available.
	*  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
	*      [score: 0.5000]
	* -0.0 DCC_CHECK_NEGATIVE Not listed in DCC
	*      [sa04 1397; Body=1 Fuz1=1 Fuz2=1]
	*  1.0 XMSubMetaSx_00 1+ Sexy Words
	*  1.2 XMSubMetaSxObfu_03 Obfuscated Sexy Noun-People
	*  0.5 XM_Body_Dirty_Words Contains a dirty word
	*  0.0 T_TooManySym_01 4+ unique symbols in subject
	*  1.0 XMSexyCombo_01 Sexy words in both body/subject
X-Spam-DCC: XMission; sa04 1397; Body=1 Fuz1=1 Fuz2=1 
X-Spam-Combo: ***;Greg Kroah-Hartman <gregkh@linuxfoundation.org>
X-Spam-Relay-Country: 
X-Spam-Timing: total 278 ms - load_scoreonly_sql: 0.03 (0.0%),
	signal_user_changed: 3.0 (1.1%), b_tie_ro: 2.2 (0.8%), parse: 0.59 (0.2%),
	extract_message_metadata: 12 (4.3%), get_uri_detail_list: 1.43 (0.5%),
	tests_pri_-1000: 6 (2.0%), tests_pri_-950: 1.04 (0.4%), tests_pri_-900: 0.83
	(0.3%), tests_pri_-400: 20 (7.1%), check_bayes: 19 (6.8%), b_tokenize: 4.9
	(1.8%), b_tok_get_all: 7 (2.7%), b_comp_prob: 1.90 (0.7%), b_tok_touch_all:
	2.9 (1.0%), b_finish: 0.64 (0.2%), tests_pri_0: 226 (81.3%), tests_pri_500: 7
	(2.5%), rewrite_mail: 0.00 (0.0%)
Subject: Re: [GIT PULL] kdbus for 4.1-rc1
X-Spam-Flag: No
X-SA-Exim-Version: 4.2.1 (built Wed, 24 Sep 2014 11:00:52 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2372
Lines: 60

ebiederm@xmission.com (Eric W. Biederman) writes:

> Greg Kroah-Hartman <gregkh@linuxfoundation.org> writes:
>
>> The following changes since commit 9eccca0843205f87c00404b663188b88eb248051:
>>
>>   Linux 4.0-rc3 (2015-03-08 16:09:09 -0700)
>>
>> are available in the git repository at:
>>
>>   git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git/ tags/kdbus-4.1-rc1
>>
>> for you to fetch changes up to 9fb9cd0f4434a23487b6ef3237e733afae90e336:
>>
>>   kdbus: avoid the use of struct timespec (2015-04-10 14:34:53 +0200)
>>
>> ----------------------------------------------------------------
>> kdbus for 4.1-rc1
>>
>> Here's the kdbus pull request for 4.1-rc1.
>>
>> It's been under development for many years now, and been in linux-next
>> for many months, and has undergone loads of testing a review and even a few
>> good arguments.  It comes with full documentation and tests.
>
>> There has been a few complaints about the code, notably from people who
>> don't like the use of metadata in the bus messages.  That is actually
>> one of the main features here, as we can get this data in a secure and
>> reliable way, and it's something that userspace requires today.  So
>> while it does look "odd" to people who are not familiar with dbus, this
>> is something that finally fixes a number of almost unfixable races in
>> the current dbus implementations.
>
> And the code that transfers the meta-data is wrong.

In fact it is worse than I thought.

With an userspace application able to give meaning to any of the bits of
meta-data that are passed (capabilities, cgroup, security labels, etc)
that in the fullness of time dropping in them will grant you more
permissions somewhere.

Which means that it becomes impossible to change anything.  Impossible
to jail anything.  It in fact becomes impossible to do anything right.

Which means the ultimate result of the direction kdbus is going is a
world where nothing can be done without introducing a security issue or
breaking userspace.

So as far as I can tell kdbus has a fundamental design flaw.

My apologies for being the bearer of bad news.

Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/