lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150130214007.GA2613@jtriplet-mobl1>
Date:	Fri, 30 Jan 2015 13:40:07 -0800
From:	Josh Triplett <josh@...htriplett.org>
To:	Casey Schaufler <casey@...aufler-ca.com>
Cc:	paulmck@...ux.vnet.ibm.com, Iulia Manda <iulia.manda21@...il.com>,
	gnomes@...rguk.ukuu.org.uk, serge.hallyn@...onical.com,
	linux-kernel@...r.kernel.org, akpm@...ux-foundation.org,
	peterz@...radead.org, mhocko@...e.cz,
	LSM <linux-security-module@...r.kernel.org>
Subject: Re: [PATCH v2] kernel: Conditionally support non-root users, groups
 and capabilities

On Fri, Jan 30, 2015 at 11:48:04AM -0800, Casey Schaufler wrote:
> On 1/30/2015 11:13 AM, josh@...htriplett.org wrote:
> > On Thu, Jan 29, 2015 at 06:25:23PM -0800, Casey Schaufler wrote:
> >> On 1/29/2015 5:36 PM, Paul E. McKenney wrote:
> >>> Casey Schaufler wrote:
> >>>> As for LSMs, I can easily see putting in the security model from the old
> >>>> RTOS on top of a NON_ROOT configuration. Won't that be fun when the CVEs
> >>>> start to fly?
> > The security model is "there's one process on this system".  (Expect
> > patches for CONFIG_FORK=n and CONFIG_EXEC=n at some point.)
> 
> Ok. Why not use Bada?

If you're asking about that particular OS: perhaps because it's
proprietary, and also dead now (as of early 2013 according to
Wikipedia)?  From a quick look, it also looks much larger than desired.
Leaving aside all the other reasons to not run a non-Linux OS, which I'd
hope most people on these lists don't need much convincing of.

More generally, why not run some random tiny RTOS?  Because they're
mostly proprietary, and not Linux, and with few exceptions don't live
nearly as long as Linux, and don't have as many expert developers as
Linux...

> >>>> Do you think you'll be running system services like systemd on top of this?
> >>>> Anyone *else* remember what happened when they put capability handling into
> >>>> sendmail?
> >>> Nope, I don't expect these systems to be using LSM, systemd, or sendmail.
> >>> I think that many of these will instead run the application directly
> >>> out of the init process.
> >> Where an "application" might be something like CrossWalk,
> > No, not a chance.  If you're running a web runtime, you're on a much
> > larger system, and you're going to be less concerned about shaving
> > kilobytes; you're also going to want many of the kernel facilities for
> > sandboxing code.
> >
> > The kinds of applications we're talking about here run entirely in one
> > binary, serving a few very narrow functions.  We're not talking
> > "automobile IVI system" here; we're talking "two buttons and an output",
> > or "a few sensors and an SD card".
> 
> Linux is an insane choice for such a system. Why would you
> even consider it?

Linux was once an insane choice for supercomputers with thousands of
CPUs.  SMP support once had to be added, and it was significant enough
to warrant bumping the major version number, back when that had
significance.

*Today*, Linux is a challenging choice for a tiny embedded system.
We're trying to fix that.

Why write yet another driver when Linux has one?  Why reimplement code
and risk rediscovering yet another bug Linux solved long ago?  Why not
use a system that scales, such that if you need more functionality, you
can turn on a few more options without rewriting all your code for
another environment?  Why not use an OS that will definitely run on your
next piece of hardware too, without needing a total rewrite?

I would hope that I'm preaching to the choir here.  Let's take a step
back from the philosophy for a moment, and go back to reviewing code and
patches.

- Josh Triplett
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ