lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20101118101519.11729a74@lxorguk.ukuu.org.uk>
Date:	Thu, 18 Nov 2010 10:15:19 +0000
From:	Alan Cox <alan@...rguk.ukuu.org.uk>
To:	Greg KH <greg@...ah.com>
Cc:	Kay Sievers <kay.sievers@...y.org>, Valdis.Kletnieks@...edu,
	Lennart Poettering <mzxreary@...inter.de>,
	linux-kernel <linux-kernel@...r.kernel.org>,
	Werner Fink <werner@...e.de>, Jiri Slaby <jslaby@...e.cz>
Subject: Re: tty: add 'active' sysfs attribute to tty0 and console device

> 	- the existing ioctl is broken and no userspace program can use
> 	  it properly, so it might as well be removed.

You can use it happily for various things providing you hold the vt
switch lock. It's not a very good API and wants something doing about it.
However we can't deprecate it using either of the proposed patches
because neither of them cover the needed functionality.

> 	- Kay's patch is one proposed solution for what userspace is
> 	  wanting to learn about ttys.  Werner's is another one.

Kay's patch is useless. As we've demonstrated by as you call it "going
off topic" it can't actually provide a credible security model. Its
providing a variable without holding the locks that make the value
meaningful. Thats as basic an error I can think of.

We wouldn't accept kernel code which did

	mutex_lock(&foo->lock)
	temp = foo->only_valid_under_lock;
	mutex_unlock(&foo->lock);
	return temp;	/* ma invalid by now */

especially when it was going to be used for permission management. We'd
call it a bug. So why are we proposing to add an API that does exactly
that ?

> I can do any one, or multiple things from the following options:
> 
> 	- disable the existing ioctl to return an error so that no new
> 	  userspace program starts to use it thinking it is valid
> 	- accept Werner's patch for those who like proc files
> 	- accept Kay's patch
> 
> Any suggestions?

None of the above. In fact the current situation is better than either of
the patches because it's equally broken and involves no more broken APIs !

Doing it right means:
- deprecating the existing ioctl (because it's a dumb interface and Kay
  is right about that)
- adding a proper event device which is pollable and returns the same
  events (and more) using a small kfifo queue. Trivial to code and will
  not add another API we'll need to deprecate again the moment anyone
  wants to use it.
- support synchronous switching by that interface or verify the existing
  vt locking interfaces will do the job in conjunction with it.

Kay's approach doesn't solve three things

- You can't use the data to implement proper secure desktop switching
- It doesn't support moving to multiple active vts at a time
- You can't deprecate the wait event interface unless you replace all the
  features of it that people use (eg resize events)

So we will be back here again doing the same thing deprecating Kay's
interface if we go that way. Having an event device actually lets us
solve the problem properly, and if we are careful about the message
formats cover the fact the KMS folks and others want multiple "live"
virtual consoles at a time.

If you have a /dev/vtmanager or similar and opening it allocates a kfifo
of a page into which we stuff the events we currently post for waitevent
then the code is trivial and it does what Kay needs as well as being able
to cover the rest of the WAITEVENT interface and future multi-desktop
stuff.

So its trivial to do the job properly, which makes the existing patches
all the wrong thing to do.

Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ