Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754710AbbDNAfE (ORCPT ); Mon, 13 Apr 2015 20:35:04 -0400 Received: from mail-la0-f46.google.com ([209.85.215.46]:36842 "EHLO mail-la0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753494AbbDNAfA (ORCPT ); Mon, 13 Apr 2015 20:35:00 -0400 MIME-Version: 1.0 In-Reply-To: <87lhhv36je.fsf@x220.int.ebiederm.org> References: <20150413190350.GA9485@kroah.com> <8738434yjk.fsf@x220.int.ebiederm.org> <87lhhv36je.fsf@x220.int.ebiederm.org> From: Andy Lutomirski Date: Mon, 13 Apr 2015 17:34:38 -0700 Message-ID: Subject: Re: [GIT PULL] kdbus for 4.1-rc1 To: "Eric W. Biederman" Cc: Greg Kroah-Hartman , Linus Torvalds , Andrew Morton , Arnd Bergmann , One Thousand Gnomes , Tom Gundersen , Jiri Kosina , "linux-kernel@vger.kernel.org" , Daniel Mack , David Herrmann , Djalal Harouni Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2914 Lines: 71 On Mon, Apr 13, 2015 at 5:19 PM, Eric W. Biederman wrote: > ebiederm@xmission.com (Eric W. Biederman) writes: > >> Greg Kroah-Hartman writes: >> >>> The following changes since commit 9eccca0843205f87c00404b663188b88eb248051: >>> >>> Linux 4.0-rc3 (2015-03-08 16:09:09 -0700) >>> >>> are available in the git repository at: >>> >>> git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git/ tags/kdbus-4.1-rc1 >>> >>> for you to fetch changes up to 9fb9cd0f4434a23487b6ef3237e733afae90e336: >>> >>> kdbus: avoid the use of struct timespec (2015-04-10 14:34:53 +0200) >>> >>> ---------------------------------------------------------------- >>> kdbus for 4.1-rc1 >>> >>> Here's the kdbus pull request for 4.1-rc1. >>> >>> It's been under development for many years now, and been in linux-next >>> for many months, and has undergone loads of testing a review and even a few >>> good arguments. It comes with full documentation and tests. >> >>> There has been a few complaints about the code, notably from people who >>> don't like the use of metadata in the bus messages. That is actually >>> one of the main features here, as we can get this data in a secure and >>> reliable way, and it's something that userspace requires today. So >>> while it does look "odd" to people who are not familiar with dbus, this >>> is something that finally fixes a number of almost unfixable races in >>> the current dbus implementations. >> >> And the code that transfers the meta-data is wrong. > > In fact it is worse than I thought. > > With an userspace application able to give meaning to any of the bits of > meta-data that are passed (capabilities, cgroup, security labels, etc) > that in the fullness of time dropping in them will grant you more > permissions somewhere. > > Which means that it becomes impossible to change anything. Impossible > to jail anything. It in fact becomes impossible to do anything right. > > Which means the ultimate result of the direction kdbus is going is a > world where nothing can be done without introducing a security issue or > breaking userspace. > > So as far as I can tell kdbus has a fundamental design flaw. > > My apologies for being the bearer of bad news. > I agree here. I cannot overstate the degree to which passing caps around through metadata is a bad idea. LSM labels are probably nearly as bad. Having LSM hooks in kdbus is one thing, but passing the *raw labels* around and letting userspace muck with them will cause the policy situation to be incomprehensible. User code should get simple yes/no answers from LSM policy, not raw data. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/