Re: [GIT PULL] kdbus for 4.1-rc1

From: Eric W. Biederman
Date: Mon Apr 13 2015 - 20:24:06 EST

Next message: Ezequiel Garcia: "Re: [Nios2-dev] [PATCH] spi: bitbang: Make setup_transfer callback optional"
Previous message: Benjamin Poirier: "Re: [PATCH] mlx4: Fix tx ring affinity_mask creation"
In reply to: Greg Kroah-Hartman: "Re: [GIT PULL] kdbus for 4.1-rc1"
Next in thread: Andy Lutomirski: "Re: [GIT PULL] kdbus for 4.1-rc1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ebiederm@xxxxxxxxxxxx (Eric W. Biederman) writes:

> Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> writes:
>
>> The following changes since commit 9eccca0843205f87c00404b663188b88eb248051:
>>
>> Linux 4.0-rc3 (2015-03-08 16:09:09 -0700)
>>
>> are available in the git repository at:
>>
>> git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git/ tags/kdbus-4.1-rc1
>>
>> for you to fetch changes up to 9fb9cd0f4434a23487b6ef3237e733afae90e336:
>>
>> kdbus: avoid the use of struct timespec (2015-04-10 14:34:53 +0200)
>>
>> ----------------------------------------------------------------
>> kdbus for 4.1-rc1
>>
>> Here's the kdbus pull request for 4.1-rc1.
>>
>> It's been under development for many years now, and been in linux-next
>> for many months, and has undergone loads of testing a review and even a few
>> good arguments. It comes with full documentation and tests.
>
>> There has been a few complaints about the code, notably from people who
>> don't like the use of metadata in the bus messages. That is actually
>> one of the main features here, as we can get this data in a secure and
>> reliable way, and it's something that userspace requires today. So
>> while it does look "odd" to people who are not familiar with dbus, this
>> is something that finally fixes a number of almost unfixable races in
>> the current dbus implementations.
>
> And the code that transfers the meta-data is wrong.

In fact it is worse than I thought.

With an userspace application able to give meaning to any of the bits of
meta-data that are passed (capabilities, cgroup, security labels, etc)
that in the fullness of time dropping in them will grant you more
permissions somewhere.

Which means that it becomes impossible to change anything. Impossible
to jail anything. It in fact becomes impossible to do anything right.

Which means the ultimate result of the direction kdbus is going is a
world where nothing can be done without introducing a security issue or
breaking userspace.

So as far as I can tell kdbus has a fundamental design flaw.

My apologies for being the bearer of bad news.

Eric

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ezequiel Garcia: "Re: [Nios2-dev] [PATCH] spi: bitbang: Make setup_transfer callback optional"
Previous message: Benjamin Poirier: "Re: [PATCH] mlx4: Fix tx ring affinity_mask creation"
In reply to: Greg Kroah-Hartman: "Re: [GIT PULL] kdbus for 4.1-rc1"
Next in thread: Andy Lutomirski: "Re: [GIT PULL] kdbus for 4.1-rc1"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]