| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 Jul 2016 07:48:06 -0500 From: "Serge E. Hallyn" <serge@...lyn.com> To: Kees Cook <keescook@...omium.org> Cc: John Stultz <john.stultz@...aro.org>, Andrew Morton <akpm@...ux-foundation.org>, Thomas Gleixner <tglx@...utronix.de>, Arjan van de Ven <arjan@...ux.intel.com>, lkml <linux-kernel@...r.kernel.org>, Oren Laadan <orenl@...lrox.com>, Ruchi Kandoi <kandoiruchi@...gle.com>, Rom Lemarchand <romlem@...roid.com>, Android Kernel Team <kernel-team@...roid.com>, Todd Kjos <tkjos@...gle.com>, Colin Cross <ccross@...roid.com>, Nick Kralevich <nnk@...gle.com>, Dmitry Shmidt <dimitrysh@...gle.com>, Elliott Hughes <enh@...gle.com> Subject: Re: [PATCH 2/2] proc: Add /proc/<pid>/timerslack_ns interface Quoting Kees Cook (keescook@...omium.org): > On Wed, Jul 13, 2016 at 4:47 PM, John Stultz <john.stultz@...aro.org> wrote: > > On Tue, Feb 16, 2016 at 5:06 PM, John Stultz <john.stultz@...aro.org> wrote: > >> This patch provides a proc/PID/timerslack_ns interface which > >> exposes a task's timerslack value in nanoseconds and allows it > >> to be changed. > >> > >> This allows power/performance management software to set timer > >> slack for other threads according to its policy for the thread > >> (such as when the thread is designated foreground vs. background > >> activity) > >> > >> If the value written is non-zero, slack is set to that value. > >> Otherwise sets it to the default for the thread. > >> > >> This interface checks that the calling task has permissions to > >> to use PTRACE_MODE_ATTACH_FSCREDS on the target task, so that we > >> can ensure arbitrary apps do not change the timer slack for other > >> apps. > > > > Sigh. > > > > So I wanted to pull this thread up again, because when I originally > > proposed upstreaming the PR_SET_TIMERSLACK_PID feature from the AOSP > > common.git tree, the first objection from Arjan was that it only > > required CAP_SYS_NICE: > > http://lkml.iu.edu/hypermail/linux/kernel/1506.3/01491.html > > > > And reasonably, setting timerslack to very large values does have the > > potential to effect applications much further then what a task could > > do previously with CAP_SYS_NICE. > > > > CAP_SYS_PTRACE was suggested instead, as that allows applications to > > manipulate other tasks more drastically. > > > > (At the time, I checked with some of the Android developers, and got > > no objection to changing to use this capability.) > > > > However, after submitting the changes to Android required to support > > the upstreamed /proc/<tid>/timerslack_ns interface, I've gotten some > > objections with adding CAP_SYS_PTRACE to the system_server, as this > > would allow the system_server to be able to inspect and modify memory > > on any task in the system. This gives the system_server privileged to > > effect applications much further then what it could do previously. > > > > So I worry I'm a bit stuck here. For general systems, CAP_SYS_NICE is > > too low a level of privilege to set a tasks timerslack, but > > apparently CAP_SYS_PTRACE is too high a privilege for Android's > > system_server to require just to set a tasks timerslack value. > > > > So I wanted to ask again if we might consider backing this down to > > CAP_SYS_NICE, or if we can instead introduce a new CAP_SYS_TIMERSLACK > > or something to provide the needed in-between capability level. > > Adding new capabilities appears to not really be viable (lots of > threads about this...) Sorry - why is this? > I think the original CAP_SYS_NICE should be fine. A malicious > CAP_SYS_NICE process can do plenty of insane things, I don't feel like > the timer slack adds to any realistic risks. Can someone give a detailed explanation of what you could do with the new timerslack feature and compare it to what you can do with sys_nice?
Powered by blists - more mailing lists