| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 30 Jul 2014 11:41:41 -0700 From: ebiederm@...ssion.com (Eric W. Biederman) To: One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk> Cc: Andy Lutomirski <luto@...capital.net>, Paolo Bonzini <pbonzini@...hat.com>, linux-crypto@...r.kernel.org, Henrique de Moraes Holschuh <hmh@....eng.br>, "linux-kernel\@vger.kernel.org" <linux-kernel@...r.kernel.org>, James Morris <james.l.morris@...cle.com>, LSM List <linux-security-module@...r.kernel.org>, Al Viro <viro@...iv.linux.org.uk>, Linux API <linux-api@...r.kernel.org>, Julien Tinnes <jln@...gle.com>, "Theodore Ts'o" <tytso@....edu>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Paul Moore <paul@...l-moore.com>, David Drysdale <drysdale@...gle.com>, Kees Cook <keescook@...omium.org>, Meredydd Luff <meredydd@...atehouse.org>, Christoph Hellwig <hch@...radead.org> Subject: Re: General flags to turn things off (getrandom, pid lookup, etc) One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk> writes: >> Andy you seem to be arguing here for two system calls. >> get_urandom() and get_random(). >> >> Where get_urandom only blocks if there is not enough starting entropy, >> and get_random(GRND_RANDOM) blocks if there is currently not enough >> entropy. >> >> That would allow -ENOSYS to be the right return value and it would >> simply things for everyone. > > So you replace the "no file handle" special case with the "unsupported or > disabled syscall" special case, which is even harder to test. > > Interfaces have failure modes. People who can't deal with that shouldn't > be writing code that does anything important in languages which don't > handle it for them. Perhaps I misread the earlier conversation but it what I have read of this discussion people want to disable some of get_random() modes with seccomp. Today get_random does not have any failure codes define except -ENOSYS. get_random(0) succeeding and get_random(GRND_RANDOM) returning -ENOSYS has every chance of causing applications to legitimately assume the get_random system call is not available in any mode. So the code either needs a defined error code for bad flags (-EINVAL) or we need to split the syscall in two. Now that I think about it having the seccomp filter return -EINVAL if it doesn't like the parameter is better that splitting a syscall. Presumably that is what get_random(UNSUPPORTED_FLAG) returns. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists