From: ebiederm@xmission.com (Eric W. Biederman)
To: Kees Cook <keescook@chromium.org>
Cc: Peter Zijlstra <peterz@infradead.org>,
Jeff Vander Stoep <jeffv@google.com>,
Ingo Molnar <mingo@redhat.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
"linux-doc\@vger.kernel.org" <linux-doc@vger.kernel.org>,
"kernel-hardening\@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
LKML <linux-kernel@vger.kernel.org>,
Jonathan Corbet <corbet@lwn.net>
Subject: Re: [kernel-hardening] Re: [PATCH 1/2] security, perf: allow further restriction of perf_event_open
Date: Wed, 03 Aug 2016 12:25:24 -0500 [thread overview]
Message-ID: <87shulix2z.fsf@x220.int.ebiederm.org> (raw)
In-Reply-To: <CAGXu5jJ+b4mWQ+RwPLo26di1qUwKT344GoN6xwzA1fw5Ke=ydA@mail.gmail.com> (Kees Cook's message of "Tue, 2 Aug 2016 13:51:47 -0700")
Sigh.
Kees we have already had this conversation about user namespaces and
apparently you missed the point.
As I have said before the problem with a system wide off switch is what
happens when you have a single application that needs to use the
feature. Without care your system wide protection disappears.
That is very brittle design.
What I see as much more palatable is a design that allows for
features to be turned off in sandboxes.
So please if you are going to worry about disabling large swaths of
the kernel to reduce the attack surface please come up with designs
that are not brittle in allowing users to use a feature nor are they
brittle in keeping the feature disabled where you want it disabled.
One of the strengths of linux is applications of features the authors of
the software had not imagined. Your proposals seem to be trying to put
the world a tiny little box where if someone had not imagined and
preapproved a use of a feature it should not happen. Let's please
avoid implementing totalitarianism to avoid malicious code exploiting
bugs in the kernel. I am not interested in that future.
Especially when dealing with disabling code to reduce attack surface,
when then are no known attacks what we are actually dealing with
is a small percentage probability reduction that a malicious attacker
will be able to exploit the attack.
Remember security is as much about availability as it is about
integrity. You keep imagining features that are great big denial of
service attacks on legitimate users.
Kees Cook <keescook@chromium.org> writes:
> On Tue, Aug 2, 2016 at 1:30 PM, Peter Zijlstra <peterz@infradead.org> wrote:
> Let me take this another way instead. What would be a better way to
> provide a mechanism for system owners to disable perf without an LSM?
> (Since far fewer folks run with an enforcing "big" LSM: I'm seeking as
> wide a coverage as possible.)
I vote for sandboxes. Perhaps seccomp. Perhaps a per userns sysctl.
Perhaps something else.
Eric
next prev parent reply other threads:[~2016-08-03 23:47 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-27 14:45 [PATCH 1/2] security, perf: allow further restriction of perf_event_open Jeff Vander Stoep
2016-07-27 20:43 ` [kernel-hardening] " Kees Cook
2016-08-02 9:52 ` Peter Zijlstra
2016-08-02 13:04 ` Arnaldo Carvalho de Melo
2016-08-02 13:10 ` [kernel-hardening] " Daniel Micay
2016-08-02 13:16 ` Daniel Micay
2016-08-02 19:04 ` Kees Cook
2016-08-02 20:30 ` Peter Zijlstra
2016-08-02 20:51 ` Kees Cook
2016-08-03 8:28 ` Ingo Molnar
2016-08-03 12:28 ` Daniel Micay
2016-08-03 12:53 ` Daniel Micay
2016-08-03 13:36 ` Peter Zijlstra
2016-08-03 14:41 ` Peter Zijlstra
2016-08-03 15:42 ` Schaufler, Casey
2016-08-03 17:25 ` Eric W. Biederman [this message]
2016-08-03 18:53 ` Kees Cook
2016-08-03 21:44 ` Peter Zijlstra
2016-08-04 2:50 ` Eric W. Biederman
2016-08-04 9:11 ` Peter Zijlstra
2016-08-04 15:13 ` Eric W. Biederman
2016-08-04 15:37 ` Peter Zijlstra
2016-08-03 19:36 ` Daniel Micay
2016-08-04 10:28 ` Mark Rutland
2016-08-04 13:45 ` Daniel Micay
2016-08-04 14:11 ` Peter Zijlstra
2016-08-04 15:44 ` Daniel Micay
2016-08-04 15:55 ` Peter Zijlstra
2016-08-04 16:10 ` Mark Rutland
2016-08-04 16:32 ` Daniel Micay
2016-08-04 17:09 ` Mark Rutland
2016-08-04 17:36 ` Daniel Micay
2016-08-02 21:16 ` Jeffrey Vander Stoep
2016-10-17 13:44 ` [kernel-hardening] " Mark Rutland
2016-10-17 14:54 ` Daniel Micay
2016-10-19 9:41 ` Mark Rutland
2016-10-19 15:16 ` Daniel Micay
2016-10-18 20:48 ` Kees Cook
2016-10-18 21:15 ` Daniel Micay
2016-10-19 9:56 ` Mark Rutland
2016-10-19 10:01 ` Peter Zijlstra
2016-10-19 10:26 ` Arnaldo Carvalho de Melo
2016-10-19 10:40 ` Peter Zijlstra
2016-10-19 15:39 ` Daniel Micay
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87shulix2z.fsf@x220.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=acme@kernel.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=corbet@lwn.net \
--cc=jeffv@google.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).