Re: [GIT PULL] kdbus for 4.1-rc1

[Linus Torvalds]

On Thu, Apr 23, 2015 at 11:56 AM, Greg Kroah-Hartman
<gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>
> Doing access control based on comm and cmdline is horrid, I totally
> agree.  But right now, any process in the system can read any other
> process's comm and cmdline value out of /proc today.

You have to work extra hard for it, and it's preventable anyway (ie selinux).

In contrast, with the information in the kdbus message, it's almost
certain that any random "enable debugging for dbus" patch will start
logging it, because "it's just there".

That's a big difference. Most bugs and security issues come because
people make trivial make trivial mistakes, not because people
explicitly go out of their way to make them.

> Doesn't syslog uses it today all over the place for logging stuff that
> happens in the system?

Hell no.

Sure, if an application explicitly says "log this message", then we
save the application name. But not for random system interactions.

The example Andy gave about doing things like name lookup is a good
one. Doesn't systemd already do a dns cache module?

Doing a name lookup is some *seriously* different thing than using
"syslog()" to explicitly log messages.

And if kdbus people can't see that difference, I don't see what we can
discuss here. Do you really not see the privacy implications? It turns
privacy violations from "you have to actually work at it" to "they
happen pretty much by mistake".

                           Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/