lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150415083554.GC16381@kroah.com>
Date:	Wed, 15 Apr 2015 10:35:54 +0200
From:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:	John Stoffel <john@...ffel.org>
Cc:	Andy Lutomirski <luto@...capital.net>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Arnd Bergmann <arnd@...db.de>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>,
	Tom Gundersen <teg@...m.no>, Jiri Kosina <jkosina@...e.cz>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	Daniel Mack <daniel@...que.org>,
	David Herrmann <dh.herrmann@...il.com>,
	Djalal Harouni <tixxdz@...ndz.org>
Subject: Re: [GIT PULL] kdbus for 4.1-rc1

On Tue, Apr 14, 2015 at 04:14:34PM -0400, John Stoffel wrote:
> >>>>> "Greg" == Greg Kroah-Hartman <gregkh@...uxfoundation.org> writes:
> 
> Greg> On Tue, Apr 14, 2015 at 11:57:22AM -0700, Andy Lutomirski wrote:
> >> On Tue, Apr 14, 2015 at 10:50 AM, Greg Kroah-Hartman
> >> <gregkh@...uxfoundation.org> wrote:
> >> > On Mon, Apr 13, 2015 at 02:01:21PM -0700, Andy Lutomirski wrote:
> >> >> On Mon, Apr 13, 2015 at 1:45 PM, Greg Kroah-Hartman
> >> >> <gregkh@...uxfoundation.org> wrote:
> >> >> > On Mon, Apr 13, 2015 at 01:13:26PM -0700, Andy Lutomirski wrote:
> >> >> >> On Mon, Apr 13, 2015 at 12:03 PM, Greg Kroah-Hartman
> >> >> >> <gregkh@...uxfoundation.org> wrote:
> >> >> >> > The following changes since commit 9eccca0843205f87c00404b663188b88eb248051:
> >> >> >> >
> >> >> >> >   Linux 4.0-rc3 (2015-03-08 16:09:09 -0700)
> >> >> >> >
> >> >> >> > are available in the git repository at:
> >> >> >> >
> >> >> >> >   git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git/ tags/kdbus-4.1-rc1
> >> >> >> >
> >> >> >> > for you to fetch changes up to 9fb9cd0f4434a23487b6ef3237e733afae90e336:
> >> >> >> >
> >> >> >> >   kdbus: avoid the use of struct timespec (2015-04-10 14:34:53 +0200)
> >> >> >> >
> >> >> >> > ----------------------------------------------------------------
> >> >> >> > kdbus for 4.1-rc1
> >> >> >> >
> >> >> >> > Here's the kdbus pull request for 4.1-rc1.
> >> >> >> >
> >> >> >> > It's been under development for many years now, and been in linux-next
> >> >> >> > for many months, and has undergone loads of testing a review and even a few
> >> >> >> > good arguments.  It comes with full documentation and tests.
> >> >> >> >
> >> >> >> > There has been a few complaints about the code, notably from people who
> >> >> >> > don't like the use of metadata in the bus messages.  That is actually
> >> >> >> > one of the main features here, as we can get this data in a secure and
> >> >> >> > reliable way, and it's something that userspace requires today.  So
> >> >> >> > while it does look "odd" to people who are not familiar with dbus, this
> >> >> >> > is something that finally fixes a number of almost unfixable races in
> >> >> >> > the current dbus implementations.
> >> >> >>
> >> >> >> While I generally like the concept of having a better in-kernel IPC
> >> >> >> mechanism, after some consideration I don't think this belongs in the
> >> >> >> kernel in its current form.  Here's why.
> >> >> >>
> >> >> >> First, the naming is counterintuitive.  There are "endpoints", but you
> >> >> >> don't send messages to endpoints.  In fact, an basic kdbus setup will
> >> >> >> have exactly one endpoint AFAICT.  Wtf?  This makes talking about it
> >> >> >> awkward.
> >> >> >
> >> >> > Did you read the documentation?  We've been over this before, and it
> >> >> > should all be addressed in the documentation based on this coming up.
> >> >> >
> >> >> >> A lot of the design seems to be to violate the concept of "mechanism,
> >> >> >> not policy".  Kdbus is very much a port of userspace dbus to the
> >> >> >> kernel, and it appears to be a port designed to preserve some
> >> >> >> questionable design decisions instead of learning from them.
> >> >> >>
> >> >> >> For example, kdbus sticks a whole policy database in the kernel, but
> >> >> >> that policy database (AFAICT -- holy crap it's overcomplicated) is
> >> >> >> *not* a simple set of rules like "if A then allow B".  Instead it has
> >> >> >> really weird dependencies not on what name you're sending to but on
> >> >> >> what *other* names the thing you're sending to has.  Sorry, but this
> >> >> >> way lies (a) the inability for a large set of developers to understand
> >> >> >> what's going on and (b) security bugs.  Also, the result probably
> >> >> >> can't be reused as part of a non-legacy-filled sensible design
> >> >> >
> >> >> > What policy database?  Matching messages to subscribers?  That's the
> >> >> > same type of "database" that other ipc subsystems need/want, there's
> >> >> > nothing radical here.
> >> >>
> >> >> Let me quote from the latest version of the kdbus docs:
> >> >>
> >> >>       Note that TALK access is checked against all names of a connection. For
> >> >>       example, if a connection owns both <constant>'org.foo.bar'</constant> and
> >> >>       <constant>'org.blah.baz'</constant>, and the policy database allows
> >> >>       <constant>'org.blah.baz'</constant> to be talked to by WORLD, then this
> >> >>       permission is also granted to <constant>'org.foo.bar'</constant>. That
> >> >>       might sound illogical, but after all, we allow messages to be directed to
> >> >>       either the ID or a well-known name, and policy is applied to the
> >> >>       connection, not the name. In other words, the effective TALK policy for a
> >> >>       connection is the most permissive of all names the connection owns.
> >> >>
> >> >> In my humble opinion, this paragraph speaks for itself.  The design is
> >> >> bad, full stop.
> >> >
> >> > First off, thanks for reading the docs, I appreciate that.  But realize
> >> > also, that this is straight from the D-Bus spec.  We aren't doing
> >> > anything "radical" here, this is what your desktop uses that you are
> >> > typing your email from.
> >> >
> >> > Yes, it's an unfortunate design, but one that we are all stuck with
> >> > (think of it as having to implement code for horrid hardware that you
> >> > have to get to work properly.)
> >> 
> >> I agree.  You've sent a pull request for an unfortunate design.  I
> >> don't think that unfortunate design belongs in the kernel.  If it says
> >> in userspace, then user programmers could potentially fix it some day.
> 
> Greg> You might not like the design, but it is a valid design.  Again, we
> Greg> don't refuse to support hardware that is designed badly.  Or support
> Greg> protocols we don't necessarily like, that's not the job of a kernel or
> Greg> operating system.
> 
> Greg> And here's Havoc's response as to why actually, this is a good design:
> Greg> 	http://lists.freedesktop.org/archives/dbus/2015-April/016651.html
> 
> This is an interesting discussion, and one thing that sticks out to me
> is the comments in the URL above talking about how clients are
> supposed to use a generic name to bind to a resource, but actually do
> a lookup to get the specific name, and then bind to THAT.
> 
> So the security concerns raised by Andy do seem to make sense, in that
> either security needs to be the same across all names of a service, so
> that you don't have problems with varying levels once people have
> connected.  In terms of the X11 analogy, if I have someone connect,
> and then I do 'xhost -' it removes all access.  It's not dependent on
> whether I'm bound to a specific or general service.  
> 
> So the security aspect really needs to be that the most restrictive
> takes precedence, not the other way around.  

But look at how dbus handles this, isn't this done in the correct way?

> And after having read a bunch of the docs, looked at the FAQ, etc;
> it's still no clearer to me what DBUS and KDBUS provides that's all so
> important or critical.  Sure, it might be nice to have, but that's ok.

The first email I wrote here explains all of this, are those not valid
uses for such a service that the kernel can provide?

> So I think that's the steps people need to take, give concrete example
> of how DBUS is better than anything else out there and won't cause
> more problems down the line.

D-Bus has been around for over 10 years now, and was the result of many
failed attempts to do something much like this (COM, DCOM, CORBA, and a
few others).  The developers involved had lots of experience in this
area, and created a solution that ended up working very well for the
problem domain.  So well that all other competing technologies in that
area were obsoleted and abondonded and everyone has moved to D-Bus as it
solves the problems they have in a correct manner.

The reason nothing else has come along might just be because nothing
else _needs_ to come along, D-Bus solves the need.

So unless you see a technical reason why the proposed code is somehow
not correct, I don't understand your complaint.

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ