Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753334AbbG1RRM (ORCPT ); Tue, 28 Jul 2015 13:17:12 -0400 Received: from mail-ig0-f175.google.com ([209.85.213.175]:37188 "EHLO mail-ig0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753253AbbG1RRH (ORCPT ); Tue, 28 Jul 2015 13:17:07 -0400 MIME-Version: 1.0 In-Reply-To: References: <1438083663-24814-1-git-send-email-drysdale@google.com> <1438083663-24814-2-git-send-email-drysdale@google.com> Date: Tue, 28 Jul 2015 10:17:06 -0700 X-Google-Sender-Auth: vzQLcCWoF6EhZhqxgJmm1_yrHUw Message-ID: Subject: Re: [PATCH RFC 1/1] Documentation: describe how to add a system call From: Kees Cook To: David Drysdale Cc: Linux API , Michael Kerrisk , Andrew Morton , Arnd Bergmann , Shuah Khan , Jonathan Corbet , Andrea Arcangeli , Thomas Gleixner , Eric B Munson , Ingo Molnar , "H. Peter Anvin" , Oleg Nesterov , Linus Torvalds , Greg Kroah-Hartman , Andy Lutomirski , Al Viro , Rusty Russell , Peter Zijlstra , Vivek Goyal , Alexei Starovoitov , David Herrmann , "Theodore Ts'o" , Milosz Tanski , Fam Zheng , Josh Triplett , Mathieu Desnoyers , "linux-doc@vger.kernel.org" , LKML Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2585 Lines: 61 On Tue, Jul 28, 2015 at 10:13 AM, David Drysdale wrote: > On Tue, Jul 28, 2015 at 5:43 PM, Kees Cook wrote: >> On Tue, Jul 28, 2015 at 4:41 AM, David Drysdale wrote: >>> Add a document describing the process of adding a new system call, >>> including the need for a flags argument for future compatibility, and >>> covering 32-bit/64-bit concerns (albeit in an x86-centric way). >>> >>> Signed-off-by: David Drysdale >>> Reviewed-by: Michael Kerrisk >> >> This is great! >> >> Reviewed-by: Kees Cook >> >> I have a few minor suggestions below... > > Thanks, I've applied all bar one -- a query below. > >>> --- >>> Documentation/adding-syscalls.txt | 454 ++++++++++++++++++++++++++++++++++++++ >>> 1 file changed, 454 insertions(+) >>> create mode 100644 Documentation/adding-syscalls.txt >>> >>> diff --git a/Documentation/adding-syscalls.txt b/Documentation/adding-syscalls.txt >>> new file mode 100644 >>> index 000000000000..5f52edda8951 >>> --- /dev/null >>> +++ b/Documentation/adding-syscalls.txt > > [snip] > >>> + - If there is an existing capability that governs related functionality, then >>> + use that. However, avoid combining lots of only vaguely related functions >>> + together under the same bit, as this goes against capabilities' purpose of >>> + splitting the power of root. In particular, avoid adding new uses of the >>> + already overly-general CAP_SYS_ADMIN capability. >>> + - If there is no related capability, then consider adding a new capability >>> + bit -- but bear in mind that the numbering space is limited, and each new >>> + bit needs to be understood and administered by sysadmins. >> >> Perhaps mention alternative mechanisms for access control when working >> on file descriptors, like avoiding security issues by looking at fd >> _opener_ credentials, rather than current's credentials? > > I'm struggling to cope up with text about this that doesn't feel either > too vague or much too detailed / internal, so maybe I'm misunderstanding > what you're after. Could you clarify or maybe suggest a sentence or two? Hm, yes, I think you're right: my suggestion here was too specific. Please ignore! :) -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/