From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.7 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 347AEC43331 for ; Thu, 5 Sep 2019 21:32:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6BBDE206BB for ; Thu, 5 Sep 2019 21:32:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390678AbfIEVcu (ORCPT ); Thu, 5 Sep 2019 17:32:50 -0400 Received: from mx1.redhat.com ([209.132.183.28]:8816 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731418AbfIEVct (ORCPT ); Thu, 5 Sep 2019 17:32:49 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 37A8C18C4266; Thu, 5 Sep 2019 21:32:49 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-120-255.rdu2.redhat.com [10.10.120.255]) by smtp.corp.redhat.com (Postfix) with ESMTP id A7BBA60BE1; Thu, 5 Sep 2019 21:32:45 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: References: <156763534546.18676.3530557439501101639.stgit@warthog.procyon.org.uk> <17703.1567702907@warthog.procyon.org.uk> To: Linus Torvalds Cc: dhowells@redhat.com, Ray Strode , Greg Kroah-Hartman , Steven Whitehouse , Nicolas Dichtel , raven@themaw.net, keyrings@vger.kernel.org, linux-usb@vger.kernel.org, linux-block , Christian Brauner , LSM List , linux-fsdevel , Linux API , Linux List Kernel Mailing , Al Viro , "Ray, Debarshi" , Robbie Harwood Subject: Re: Why add the general notification queue and its sources MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <5395.1567719164.1@warthog.procyon.org.uk> Date: Thu, 05 Sep 2019 22:32:44 +0100 Message-ID: <5396.1567719164@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mx1.redhat.com [10.5.110.62]); Thu, 05 Sep 2019 21:32:49 +0000 (UTC) Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Linus Torvalds wrote: > Also, what is the security model here? Open a special character > device, and you get access to random notifications from random > sources? > > That makes no sense. Do they have the same security permissions? Sigh. It doesn't work like that. I tried to describe this in the manpages I referred to in the cover note. Obviously I didn't do a good enough job. Let me try and explain the general workings and the security model here. (1) /dev/watch_queue just implements locked-in-memory buffers. It gets you no events by simply opening it. Each time you open it you get your own private buffer. Buffers are not shares. Creation of buffers is limited by ENFILE, EMFILE and RLIMIT_MEMLOCK. (2) A buffer is implemented as a pollable ring buffer, with the head pointer belonging to the kernel and the tail pointer belonging to userspace. Userspace mmaps the buffer. The kernel *only ever* reads the head and tail pointer from a buffer; it never reads anything else. When it wants to post a message to a buffer, the kernel reads the pointers and then does one of three things: (a) If the pointers were incoherent it drops the message. (b) If the buffer was full the kernel writes a flag to indicate this and drops the message. (c) Otherwise, the kernel writes a message and maybe padding at the place(s) it expects and writes the head pointer. If userspace was busy trashing the place, that should not cause a problem for the kernel. The buffer pointers are expected to run to the end and wrap naturally; they're only masked off at the point of actually accessing the buffer. (3) You connect event sources to your buffer, e.g.: fd = open("/dev/watch_queue", ...); keyctl_watch_key(KEY_SPEC_SESSION_KEYRING, fd, ...); or: watch_mount(AT_FDCWD, "/net", 0, fd, ...); Security is checked at the point of connection to make sure you have permission to access that source. You have to have View permission on a key/keyring for key events, for example, and you have to have execute permission on a directory for mount events. The LSM gets a look-in too: Smack checks you have read permission on a key for example. (4) You can connect multiple sources of different types to your buffer and a source can be connected to multiple buffers at a time. (5) Security is checked when an event is delivered to make sure the triggerer of the event has permission to give you that event. Smack requires that the triggerer has write permission on the opener of the buffer for example. (6) poll() signals POLLIN|POLLRDNORM if there is stuff in the buffer and POLLERR if the pointers are incoherent. David