questions to planned lock-functionality for vts

questions to planned lock-functionality for vts

[helene.gsaenger]

Hello,


We want to add a functionality to the kernel that allows to lock and unlock
virtual terminals to maybe one day replace X11 screensavers and console
lockers by a more secure kernel mechanism.

It should behave like:
If user A owns e.g. vt2, A is able to lock vt2 and unlock it again.
This is realized by a userspace programm that calls ioctl, which the above
mentioned added cases VT_LOCK and VT_UNLOCK.
Another user(that is not root) wouldn't be allowed to un-/lock vt2.
If anybody wants to change to a looked VT he gets redirected to vt12.
At vt12 a userspace programm (to unlock a VT) would run and ask for
loginname and password, if it is the password from the user that owns the
locked terminal or from root.
The VT gets unlocked and the user gets directed to his terminal.


We try to realize this the following way:

We added the three cases VT_LOCK, VT_UNLOCK and VT_IS_LOCKED to the switch
case in the method vt_ioctl.
VT_LOCK and VT_UNLOCK set and reset the vc_locked flag we have added as
member variable in the struct vc_data after checking the permissions and
VT_IS_LOCKED returns the current value of vc_locked.

When the Kernel switches consoles we want it to check first if the vt we
want to switch to is locked. If it is locked we want to redirect to vt12.
To realize the redirection we figured out two different approaches.


Option 1: realize the redirection in set_console:

Check if the console we want to switch to is locked.
In this case we set nr (the number of te vt we want to switch to) to 11.
Additionally we set the redirected-flag, a member variable we also added
to struct vc_data.

In many cases VT_WAITACTIVE is called after switching vt.
This function waits until the vt switch to the console with the specified
number is completed.
If we switch to vt12 instead of the initially intended vt this function
must be told to wait for a switch to vt12 and not to the intended vt.
So we need to check if the redirected-flag is set.

This approach has a few problems:
	- Besides VT_WAITACTIVE there are more functions that wait for a
	  console switch.
	  To make them work correctly they all must be found and modified.
	  When new functions that wait for a console change are implemented
	  they also must pay attention to this.
	- if there are more callers of set_console and VT_WAITACTIVE race
	  conditions might occur.


Option 2: realize the redirection in complete_change_console:

check if the vt we want to switch to is locked.
In this case we change the value of the struct vc_data *vc, which represents
the vt we want to switch to, to vc_cons[11].d.
But vt_event_post is either way called with the number of the vt we
initially want to switch to.
As a result there is no need for additional checks before waiting for the
vt switch to complete.

This approach seems to be better but we are not sure if calling vt_event_post
with numbers of vts we actually do not switch to is a good idea and has no
side effects in other functions.


None of these options seems to be really good.
So we would like to know if one of this options is better and if anyone knows
a better way to realize the redirection to vt12.


Regards,

Helene Gsaenger and Simone Weiss

Re: questions to planned lock-functionality for vts

[Greg KH]

On Sun, Mar 22, 2015 at 11:03:03PM +0100, helene.gsaenger@studium.fau.de wrote:
> Hello,
> 
> 
> We want to add a functionality to the kernel that allows to lock and unlock
> virtual terminals to maybe one day replace X11 screensavers and console
> lockers by a more secure kernel mechanism.

Wait, what's wrong with the existing functionality?

> It should behave like:
> If user A owns e.g. vt2, A is able to lock vt2 and unlock it again.
> This is realized by a userspace programm that calls ioctl, which the above
> mentioned added cases VT_LOCK and VT_UNLOCK.
> Another user(that is not root) wouldn't be allowed to un-/lock vt2.
> If anybody wants to change to a looked VT he gets redirected to vt12.
> At vt12 a userspace programm (to unlock a VT) would run and ask for
> loginname and password, if it is the password from the user that owns the
> locked terminal or from root.
> The VT gets unlocked and the user gets directed to his terminal.

Why would you want to put all of that into the kernel?

thanks,

greg k-h

Re: questions to planned lock-functionality for vts

[simone.weiss]

> Wait, what's wrong with the existing functionality?

Userspace programms for screensavers can potentially be bypassed
- if my scrennsaver dies, for example by segfault, my screen is unlocked
- Redirection is only possible in Kernel, because a vt switch can only
  be prevented there
Also it would make the implementation of a Secure-Acess-Key possible
(could also redirect to VT12)

>> It should behave like:
>> If user A owns e.g. vt2, A is able to lock vt2 and unlock it again.
>> This is realized by a userspace programm that calls ioctl, which the
>> above
>> mentioned added cases VT_LOCK and VT_UNLOCK.
>> Another user(that is not root) wouldn't be allowed to un-/lock vt2.
>> If anybody wants to change to a looked VT he gets redirected to vt12.
>> At vt12 a userspace programm (to unlock a VT) would run and ask for
>> loginname and password, if it is the password from the user that owns
>> the
>> locked terminal or from root.
>> The VT gets unlocked and the user gets directed to his terminal.
>
> Why would you want to put all of that into the kernel?

We don't want to put all of that in the kernel, the above describes only
the interaction with a userspace programm.
For the kernel it would only mean that if a vt is locked
it wouldn't allow to switch to this vt and instead switch to VT12.

Regards,
Simone Weiss

Re: questions to planned lock-functionality for vts

[David Herrmann]

Hi

On Mon, Mar 23, 2015 at 11:29 AM,  <simone.weiss@fau.de> wrote:
>
>> Wait, what's wrong with the existing functionality?
>
> Userspace programms for screensavers can potentially be bypassed
> - if my scrennsaver dies, for example by segfault, my screen is unlocked
> - Redirection is only possible in Kernel, because a vt switch can only
>   be prevented there
> Also it would make the implementation of a Secure-Acess-Key possible
> (could also redirect to VT12)

By moving these calls into the kernel, you don't make them necessarily
fail-safe. This can all be implemented in user-space. By switching to
a dedicated VT (say, VT12) and running VT_SETMODE+VT_PROCESS, you lock
the machine. You can now implement your screensaver. If you run a
spawner-process, you're even safe if your screensaver crashes.

Thanks
David

Re: questions to planned lock-functionality for vts

[simone.weiss]

hello

> By moving these calls into the kernel, you don't make them necessarily
> fail-safe. This can all be implemented in user-space. By switching to
> a dedicated VT (say, VT12) and running VT_SETMODE+VT_PROCESS, you lock
> the machine. You can now implement your screensaver. If you run a
> spawner-process, you're even safe if your screensaver crashes.

Yes but this would lock the whole machine. Our plan is to make it posible
to lock a specific set of VTs - owned by the user who wants to lock.

e.g if user A locked all his VTs user B would still be able to switch to
his VTs.

Thanks
Simone Weiss

Re: questions to planned lock-functionality for vts

[David Herrmann]

Hi

On Mon, Mar 23, 2015 at 2:02 PM,  <simone.weiss@fau.de> wrote:
> hello
>
>> By moving these calls into the kernel, you don't make them necessarily
>> fail-safe. This can all be implemented in user-space. By switching to
>> a dedicated VT (say, VT12) and running VT_SETMODE+VT_PROCESS, you lock
>> the machine. You can now implement your screensaver. If you run a
>> spawner-process, you're even safe if your screensaver crashes.
>
> Yes but this would lock the whole machine. Our plan is to make it posible
> to lock a specific set of VTs - owned by the user who wants to lock.
>
> e.g if user A locked all his VTs user B would still be able to switch to
> his VTs.

Correct. But if you want to support locking individual sessions (or
VTs), why not look at what is done with upcoming Wayland compositors,
which implement this in the compositor itself? That is, the session
tracks whether it's locked and shows a lock-screen if so. This can be
done on text-VTs the same as on graphical ones.

I mean, why does the kernel need to know VT state which is inherently
defined the application running on it?

Putting this in the kernel is the easier way out, given the historical
setup of gettys on VTs. But I wonder why it's supposed to be the
better way?

Thanks
David

Re: questions to planned lock-functionality for vts

[simone.weiss]

> Hi
>
> On Mon, Mar 23, 2015 at 2:02 PM,  <simone.weiss@fau.de> wrote:
>> hello
>>
>>> By moving these calls into the kernel, you don't make them necessarily
>>> fail-safe. This can all be implemented in user-space. By switching to
>>> a dedicated VT (say, VT12) and running VT_SETMODE+VT_PROCESS, you lock
>>> the machine. You can now implement your screensaver. If you run a
>>> spawner-process, you're even safe if your screensaver crashes.
>>
>> Yes but this would lock the whole machine. Our plan is to make it
>> posible
>> to lock a specific set of VTs - owned by the user who wants to lock.
>>
>> e.g if user A locked all his VTs user B would still be able to switch to
>> his VTs.
>
> Correct. But if you want to support locking individual sessions (or
> VTs), why not look at what is done with upcoming Wayland compositors,
> which implement this in the compositor itself? That is, the session
> tracks whether it's locked and shows a lock-screen if so. This can be
> done on text-VTs the same as on graphical ones.
>
> I mean, why does the kernel need to know VT state which is inherently
> defined the application running on it?
>
> Putting this in the kernel is the easier way out, given the historical
> setup of gettys on VTs. But I wonder why it's supposed to be the
> better way?
>
> Thanks
> David
>
Hello,

Our approch would be more universal, it wouldn't only work when wayland is
used, but as well on servers and systems that are not going to use
wayland.
And wayland doesn't seem to be ready soon.

Regards
Simone Weiss

Re: questions to planned lock-functionality for vts

[David Herrmann]

Hi

On Mon, Mar 23, 2015 at 3:48 PM,  <simone.weiss@fau.de> wrote:
> Our approch would be more universal, it wouldn't only work when wayland is
> used, but as well on servers and systems that are not going to use
> wayland.

This has nothing to do with Wayland. I just said doing it like Wayland
compositors do it. That is, handle it inside of the running
application, instead of reserving a separate VT.

Thanks
David