From: David Howells <dhowells@redhat.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: dhowells@redhat.com, Ray Strode <rstrode@redhat.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Steven Whitehouse <swhiteho@redhat.com>,
Nicolas Dichtel <nicolas.dichtel@6wind.com>,
raven@themaw.net, keyrings@vger.kernel.org,
linux-usb@vger.kernel.org,
linux-block <linux-block@vger.kernel.org>,
Christian Brauner <christian@brauner.io>,
LSM List <linux-security-module@vger.kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
Linux List Kernel Mailing <linux-kernel@vger.kernel.org>,
Al Viro <viro@zeniv.linux.org.uk>,
"Ray, Debarshi" <debarshi.ray@gmail.com>,
Robbie Harwood <rharwood@redhat.com>
Subject: Re: Why add the general notification queue and its sources
Date: Thu, 05 Sep 2019 22:32:44 +0100 [thread overview]
Message-ID: <5396.1567719164@warthog.procyon.org.uk> (raw)
In-Reply-To: <CAHk-=wjcsxQ8QB_v=cwBQw4pkJg7pp-bBsdWyPivFO_OeF-y+g@mail.gmail.com>
Linus Torvalds <torvalds@linux-foundation.org> wrote:
> Also, what is the security model here? Open a special character
> device, and you get access to random notifications from random
> sources?
>
> That makes no sense. Do they have the same security permissions?
Sigh. It doesn't work like that. I tried to describe this in the manpages I
referred to in the cover note. Obviously I didn't do a good enough job. Let
me try and explain the general workings and the security model here.
(1) /dev/watch_queue just implements locked-in-memory buffers. It gets you
no events by simply opening it.
Each time you open it you get your own private buffer. Buffers are not
shares. Creation of buffers is limited by ENFILE, EMFILE and
RLIMIT_MEMLOCK.
(2) A buffer is implemented as a pollable ring buffer, with the head pointer
belonging to the kernel and the tail pointer belonging to userspace.
Userspace mmaps the buffer.
The kernel *only ever* reads the head and tail pointer from a buffer; it
never reads anything else.
When it wants to post a message to a buffer, the kernel reads the
pointers and then does one of three things:
(a) If the pointers were incoherent it drops the message.
(b) If the buffer was full the kernel writes a flag to indicate this
and drops the message.
(c) Otherwise, the kernel writes a message and maybe padding at the
place(s) it expects and writes the head pointer. If userspace was
busy trashing the place, that should not cause a problem for the
kernel.
The buffer pointers are expected to run to the end and wrap naturally;
they're only masked off at the point of actually accessing the buffer.
(3) You connect event sources to your buffer, e.g.:
fd = open("/dev/watch_queue", ...);
keyctl_watch_key(KEY_SPEC_SESSION_KEYRING, fd, ...);
or:
watch_mount(AT_FDCWD, "/net", 0, fd, ...);
Security is checked at the point of connection to make sure you have
permission to access that source. You have to have View permission on a
key/keyring for key events, for example, and you have to have execute
permission on a directory for mount events.
The LSM gets a look-in too: Smack checks you have read permission on a
key for example.
(4) You can connect multiple sources of different types to your buffer and a
source can be connected to multiple buffers at a time.
(5) Security is checked when an event is delivered to make sure the triggerer
of the event has permission to give you that event. Smack requires that
the triggerer has write permission on the opener of the buffer for
example.
(6) poll() signals POLLIN|POLLRDNORM if there is stuff in the buffer and
POLLERR if the pointers are incoherent.
David
next prev parent reply other threads:[~2019-09-05 21:32 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-04 22:15 [PATCH 00/11] Keyrings, Block and USB notifications [ver #8] David Howells
2019-09-04 22:15 ` [PATCH 01/11] uapi: General notification ring definitions " David Howells
2019-09-04 22:16 ` [PATCH 02/11] security: Add hooks to rule on setting a watch " David Howells
2019-09-04 22:16 ` [PATCH 03/11] security: Add a hook for the point of notification insertion " David Howells
2019-09-04 22:16 ` [PATCH 04/11] General notification queue with user mmap()'able ring buffer " David Howells
2019-09-04 22:16 ` [PATCH 05/11] keys: Add a notification facility " David Howells
2019-09-04 22:16 ` [PATCH 06/11] Add a general, global device notification watch list " David Howells
2019-09-04 22:16 ` [PATCH 07/11] block: Add block layer notifications " David Howells
2019-09-04 22:16 ` [PATCH 08/11] usb: Add USB subsystem " David Howells
2019-09-04 22:17 ` [PATCH 09/11] Add sample notification program " David Howells
2019-09-04 22:17 ` [PATCH 10/11] selinux: Implement the watch_key security hook " David Howells
2019-09-04 22:17 ` [PATCH 11/11] smack: Implement the watch_key and post_notification hooks " David Howells
2019-09-04 22:28 ` [PATCH 00/11] Keyrings, Block and USB notifications " Linus Torvalds
2019-09-05 17:01 ` Why add the general notification queue and its sources David Howells
2019-09-05 17:19 ` Linus Torvalds
2019-09-05 18:32 ` Ray Strode
2019-09-05 20:39 ` Linus Torvalds
2019-09-06 19:32 ` Ray Strode
2019-09-06 19:41 ` Ray Strode
2019-09-06 19:53 ` Robbie Harwood
2019-09-05 21:32 ` David Howells [this message]
2019-09-05 22:08 ` Linus Torvalds
2019-09-05 23:18 ` David Howells
2019-09-06 0:07 ` Linus Torvalds
2019-09-06 10:09 ` David Howells
2019-09-06 15:35 ` Linus Torvalds
2019-09-06 15:53 ` Linus Torvalds
2019-09-06 16:12 ` Steven Whitehouse
2019-09-06 17:07 ` Linus Torvalds
2019-09-06 17:14 ` Linus Torvalds
2019-09-06 21:19 ` David Howells
2019-09-06 17:14 ` Andy Lutomirski
2019-09-05 18:37 ` Steven Whitehouse
2019-09-05 18:51 ` Ray Strode
2019-09-05 20:09 ` David Lehman
2019-09-05 18:33 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5396.1567719164@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=christian@brauner.io \
--cc=debarshi.ray@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=nicolas.dichtel@6wind.com \
--cc=raven@themaw.net \
--cc=rharwood@redhat.com \
--cc=rstrode@redhat.com \
--cc=swhiteho@redhat.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).