From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751285AbcGNRsw (ORCPT <rfc822;w@1wt.eu>);
	Thu, 14 Jul 2016 13:48:52 -0400
Received: from mga09.intel.com ([134.134.136.24]:14803 "EHLO mga09.intel.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751051AbcGNRsu (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Thu, 14 Jul 2016 13:48:50 -0400
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.28,363,1464678000"; 
   d="scan'208";a="995366788"
Subject: Re: [PATCH 2/2] proc: Add /proc/<pid>/timerslack_ns interface
To: Kees Cook <keescook@chromium.org>, John Stultz <john.stultz@linaro.org>
References: <1455671191-32105-1-git-send-email-john.stultz@linaro.org>
 <1455671191-32105-3-git-send-email-john.stultz@linaro.org>
 <CALAqxLUsJ8Aph76mJ9xZWry56xvL8wKy+HVbgh=NQ-fimFUtJg@mail.gmail.com>
 <CAGXu5jJwAVdKBKUgWgGvwoHn8p7bNWMVK8+BNqmaE+Q7TrT1rA@mail.gmail.com>
 <20160714124806.GB31333@mail.hallyn.com>
 <CALAqxLWb6LaLro-dCYF1Upm1=4Dag1JfrmsxrjWhc6x-keGzkg@mail.gmail.com>
 <CAGXu5jLtwanTYJeFSw1GjPTfd=k1LXv0bkCP3y0A57_xjj92yQ@mail.gmail.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        lkml <linux-kernel@vger.kernel.org>, Oren Laadan <orenl@cellrox.com>,
        Ruchi Kandoi <kandoiruchi@google.com>,
        Rom Lemarchand <romlem@android.com>,
        Android Kernel Team <kernel-team@android.com>,
        Todd Kjos <tkjos@google.com>, Colin Cross <ccross@android.com>,
        Nick Kralevich <nnk@google.com>, Dmitry Shmidt <dimitrysh@google.com>,
        Elliott Hughes <enh@google.com>
From: Arjan van de Ven <arjan@linux.intel.com>
Message-ID: <0043c0cf-8051-ebf0-7284-6157ea55d1b2@linux.intel.com>
Date: Thu, 14 Jul 2016 10:48:17 -0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <CAGXu5jLtwanTYJeFSw1GjPTfd=k1LXv0bkCP3y0A57_xjj92yQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 7/14/2016 10:45 AM, Kees Cook wrote:
> On Thu, Jul 14, 2016 at 9:09 AM, John Stultz <john.stultz@linaro.org> wrote:
>> On Thu, Jul 14, 2016 at 5:48 AM, Serge E. Hallyn <serge@hallyn.com> wrote:
>>> Quoting Kees Cook (keescook@chromium.org):
>>>> I think the original CAP_SYS_NICE should be fine. A malicious
>>>> CAP_SYS_NICE process can do plenty of insane things, I don't feel like
>>>> the timer slack adds to any realistic risks.
>>>
>>> Can someone give a detailed explanation of what you could do with
>>> the new timerslack feature and compare it to what you can do with
>>> sys_nice?
>>
>> Looking at the man page for CAP_SYS_NICE, it looks like such a task
>> can set a task as SCHED_FIFO, so they could fork some spinning
>> processes and set them all SCHED_FIFO 99, in effect delaying all other
>> tasks for an infinite amount of time.
>>
>> So one might argue setting large timerslack vlaues isn't that
>> different risk wise?
>
> Right -- you can hose a system with CAP_SYS_NICE already; I don't
> think timerslack realistically changes that.

fair enough

the worry of being able to time attack things is there already with the SCHED_FIFO
so... purist objection withdrawn in favor of the pragmatic