lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 19 Mar 2014 20:49:28 -0700
From:	Linus Torvalds <>
To:	David Herrmann <>
Cc:	Linux Kernel Mailing List <>,
	Hugh Dickins <>,
	Alexander Viro <>,
	Matthew Wilcox <>,
	Karol Lewandowski <>,
	Kay Sievers <>, Daniel Mack <>,
	Lennart Poettering <>,
	Kristian Høgsberg <>,
	John Stultz <>,
	Greg Kroah-Hartman <>, Tejun Heo <>,
	Johannes Weiner <>,
	DRI <>,
	linux-fsdevel <>,
	linux-mm <>,
	Andrew Morton <>,
	Ryan Lortie <>,
	"Michael Kerrisk (man-pages)" <>
Subject: Re: [PATCH 0/6] File Sealing & memfd_create()

On Wed, Mar 19, 2014 at 12:06 PM, David Herrmann <> wrote:
> Unlike existing techniques that provide similar protection, sealing allows
> file-sharing without any trust-relationship. This is enforced by rejecting seal
> modifications if you don't own an exclusive reference to the given file.

I like the concept, but I really hate that "exclusive reference"
approach. I see why you did it, but I also worry that it means that
people can open random shm files that are *not* expected to be sealed,
and screw up applications that don't expect it.

Is there really any use-case where the sealer isn't also the same
thing that *created* the file in the first place? Because I would be a
ton happier with the notion that you can only seal things that you
yourself created. At that point, the exclusive reference isn't such a
big deal any more, but more importantly, you can't play random
denial-of-service games on files that aren't really yours.

The fact that you bring up the races involved with the exclusive
reference approach also just makes me go "Is that really the correct
security model"?

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

Powered by blists - more mailing lists