| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 20 Jan 2015 16:50:06 -0800 From: Josh Triplett <josh@...htriplett.org> To: Casey Schaufler <casey@...aufler-ca.com> Cc: Iulia Manda <iulia.manda21@...il.com>, serge.hallyn@...onical.com, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org, akpm@...ux-foundation.org, paulmck@...ux.vnet.ibm.com, peterz@...radead.org, mhocko@...e.cz Subject: Re: [PATCH] kernel: Conditionally support non-root users, groups and capabilities On Tue, Jan 20, 2015 at 04:05:00PM -0800, Casey Schaufler wrote: > On 1/20/2015 3:33 PM, Iulia Manda wrote: > > There are a lot of embedded systems that run most or all of their functionality > > in init, running as root:root. For these systems, supporting multiple users is > > not necessary. > > > > This patch adds a new symbol, CONFIG_NON_ROOT, that makes support for non-root > > users, non-root groups, and capabilities optional. > > > > When this symbol is not defined, UID and GID are zero in any possible case > > and processes always have all capabilities. > > > > Also, the following syscalls are compiled out: setuid, setregid, setgid, > > setreuid, setresuid, getresuid, setresgid, getresgid, setgroups, getgroups, > > setfsuid, setfsgid, capget, capset. > > > > This change saves about 25 KB on a defconfig build. > > > > Bloat-o-meter output: > > add/remove: 7/66 grow/shrink: 21/421 up/down: 1701/-27172 (-25471) > > > > Signed-off-by: Iulia Manda <iulia.manda21@...il.com> > > Reviewed-by: Josh Triplett <josh@...htriplett.org> > > Authoritative LSM hooks were loudly rejected in or about 1999. > One of the primary reasons they were rejected was because you could > use them do exactly what this patch does, which is to remove the basic > Linux security policy. If attitudes have changed sufficiently that > removing the "classic" security behavior is now deemed acceptable, > I propose that we reintroduce the option of authoritative LSM hooks > instead. That would give you all this saving, and probably more. Wouldn't authoritative LSM hooks require *adding* the necessary hook logic, along with a hook module implementing such a policy? Unless you're suggesting that compiling in LSM hooks without any providers would result in this behavior by default, which seems rather questionable. Also note that this is compiling out the entire family of UID/GID system calls, which LSM hooks could not do. In any case, I see two major problems with authoritative LSM hooks that this patch avoids: First, simplicity: I doubt authoritative LSM hooks could match this diffstat: > > include/linux/capability.h | 12 ++++++++++++ > > include/linux/uidgid.h | 12 ++++++++++++ > > init/Kconfig | 19 ++++++++++++++++++- > > kernel/capability.c | 6 ++++++ > > kernel/groups.c | 4 ++++ > > kernel/sys.c | 2 ++ > > kernel/sys_ni.c | 14 ++++++++++++++ > > 7 files changed, 68 insertions(+), 1 deletion(-) Second, code size reduction: In addition to the concern above about adding hooks rather than removing code, this patch allows constant-folding away huge amounts of code, which any kind of "hook" mechanism would have a hard time doing. This patch lets the compiler do almost all of the work. Notice the "66 shrink" and "421 down" in the bloat-o-meter summary. The intent here is not to open the door to arbitrary replacement security policies. The intent is to simply add a compile-time option to compile *out* security policies entirely, for systems that will not only never call setuid but in many cases never even call fork. - Josh Triplett -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists