Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1030821AbbDWTWd (ORCPT ); Thu, 23 Apr 2015 15:22:33 -0400 Received: from mail-la0-f46.google.com ([209.85.215.46]:35078 "EHLO mail-la0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1030398AbbDWTWc (ORCPT ); Thu, 23 Apr 2015 15:22:32 -0400 MIME-Version: 1.0 In-Reply-To: <20150423185633.GA13242@kroah.com> References: <20150413190350.GA9485@kroah.com> <20150423130548.GA4253@kroah.com> <20150423163616.GA10874@kroah.com> <20150423171640.GA11227@kroah.com> <20150423185633.GA13242@kroah.com> From: Andy Lutomirski Date: Thu, 23 Apr 2015 12:22:10 -0700 Message-ID: Subject: Re: [GIT PULL] kdbus for 4.1-rc1 To: Greg KH Cc: One Thousand Gnomes , Arnd Bergmann , Linus Torvalds , Tom Gundersen , "linux-kernel@vger.kernel.org" , Jiri Kosina , David Herrmann , "Eric W. Biederman" , Andrew Morton , Djalal Harouni , Daniel Mack Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2322 Lines: 51 On Apr 23, 2015 11:56 AM, "Greg Kroah-Hartman" wrote: > > On Thu, Apr 23, 2015 at 11:04:36AM -0700, Linus Torvalds wrote: > > On Thu, Apr 23, 2015 at 10:57 AM, Linus Torvalds > > wrote: > > > > > > If somebody is printing something, it shouldn't matter if it's "lpr" > > > or "firefox http://horses.and.trannyporn.my.little.pony.com/" that > > > does the printing. > > > > And btw, it's not just "this is information that shouldn't be logged". > > > > It's literally "information that should not *ever* be used". I can > > easily see some phone manufacturer deciding to do "value add" by > > adding a special case where a special vendor system manager program > > gets a back door to some service, because it needs to access the > > camera for user identification at login time, so there's some magic > > > > if (!strcmp(client->pid_comm, "vendor-login-pr")) > > return ACCESS_OK; > > > > because "it was the simplest way to do this", and the programmer knew > > it was a hack, but he needed to get it working because he had a > > deadline yesterday. > > > > And then somebody figures this out, and makes an app that takes > > pictures on your phone surreptitiously. > > > > No, we can't protect against vendors doing stupid things, but we very > > much also shouldn't make the kernel have interfaces that basically > > encourage people to do stupid things because they make irrelevant and > > wrongheaded data available. > > Doing access control based on comm and cmdline is horrid, I totally > agree. But right now, any process in the system can read any other > process's comm and cmdline value out of /proc today. So removing it > from the metadata is fine for kdbus, I can live with that, but it really > isn't "preventing" anything that's not already visible to everyone, so > if someone wanting to be "bad" could always still log it or do anything > else they wanted with it. I feel like a broken record. This isn't true in general. Selinux can and, I believe, often does prevent this. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/