[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87lhhv36je.fsf@x220.int.ebiederm.org>
Date: Mon, 13 Apr 2015 19:19:49 -0500
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Linus Torvalds <torvalds@...ux-foundation.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Arnd Bergmann <arnd@...db.de>, gnomes@...rguk.ukuu.org.uk,
teg@...m.no, jkosina@...e.cz, luto@...capital.net,
linux-kernel@...r.kernel.org, daniel@...que.org,
dh.herrmann@...il.com, tixxdz@...ndz.org
Subject: Re: [GIT PULL] kdbus for 4.1-rc1
ebiederm@...ssion.com (Eric W. Biederman) writes:
> Greg Kroah-Hartman <gregkh@...uxfoundation.org> writes:
>
>> The following changes since commit 9eccca0843205f87c00404b663188b88eb248051:
>>
>> Linux 4.0-rc3 (2015-03-08 16:09:09 -0700)
>>
>> are available in the git repository at:
>>
>> git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git/ tags/kdbus-4.1-rc1
>>
>> for you to fetch changes up to 9fb9cd0f4434a23487b6ef3237e733afae90e336:
>>
>> kdbus: avoid the use of struct timespec (2015-04-10 14:34:53 +0200)
>>
>> ----------------------------------------------------------------
>> kdbus for 4.1-rc1
>>
>> Here's the kdbus pull request for 4.1-rc1.
>>
>> It's been under development for many years now, and been in linux-next
>> for many months, and has undergone loads of testing a review and even a few
>> good arguments. It comes with full documentation and tests.
>
>> There has been a few complaints about the code, notably from people who
>> don't like the use of metadata in the bus messages. That is actually
>> one of the main features here, as we can get this data in a secure and
>> reliable way, and it's something that userspace requires today. So
>> while it does look "odd" to people who are not familiar with dbus, this
>> is something that finally fixes a number of almost unfixable races in
>> the current dbus implementations.
>
> And the code that transfers the meta-data is wrong.
In fact it is worse than I thought.
With an userspace application able to give meaning to any of the bits of
meta-data that are passed (capabilities, cgroup, security labels, etc)
that in the fullness of time dropping in them will grant you more
permissions somewhere.
Which means that it becomes impossible to change anything. Impossible
to jail anything. It in fact becomes impossible to do anything right.
Which means the ultimate result of the direction kdbus is going is a
world where nothing can be done without introducing a security issue or
breaking userspace.
So as far as I can tell kdbus has a fundamental design flaw.
My apologies for being the bearer of bad news.
Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists