From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751346AbcGNF3t (ORCPT <rfc822;w@1wt.eu>);
	Thu, 14 Jul 2016 01:29:49 -0400
Received: from mga01.intel.com ([192.55.52.88]:8918 "EHLO mga01.intel.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751208AbcGNF3m (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Thu, 14 Jul 2016 01:29:42 -0400
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.28,361,1464678000"; 
   d="scan'208";a="994885525"
Subject: Re: [PATCH 2/2] proc: Add /proc/<pid>/timerslack_ns interface
To: Kees Cook <keescook@chromium.org>, John Stultz <john.stultz@linaro.org>
References: <1455671191-32105-1-git-send-email-john.stultz@linaro.org>
 <1455671191-32105-3-git-send-email-john.stultz@linaro.org>
 <CALAqxLUsJ8Aph76mJ9xZWry56xvL8wKy+HVbgh=NQ-fimFUtJg@mail.gmail.com>
 <CAGXu5jJwAVdKBKUgWgGvwoHn8p7bNWMVK8+BNqmaE+Q7TrT1rA@mail.gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        lkml <linux-kernel@vger.kernel.org>, Oren Laadan <orenl@cellrox.com>,
        Ruchi Kandoi <kandoiruchi@google.com>,
        Rom Lemarchand <romlem@android.com>,
        Android Kernel Team <kernel-team@android.com>,
        Todd Kjos <tkjos@google.com>, Colin Cross <ccross@android.com>,
        Nick Kralevich <nnk@google.com>, Dmitry Shmidt <dimitrysh@google.com>,
        Elliott Hughes <enh@google.com>
From: Arjan van de Ven <arjan@linux.intel.com>
Message-ID: <df4496b1-17dc-1da5-77c5-6c94fcd1e147@linux.intel.com>
Date: Wed, 13 Jul 2016 22:29:40 -0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.1.1
MIME-Version: 1.0
In-Reply-To: <CAGXu5jJwAVdKBKUgWgGvwoHn8p7bNWMVK8+BNqmaE+Q7TrT1rA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 7/13/2016 8:39 PM, Kees Cook wrote:
>>
>> So I worry I'm a bit stuck here. For general systems, CAP_SYS_NICE is
>> too low a level of privilege  to set a tasks timerslack, but
>> apparently CAP_SYS_PTRACE is too high a privilege for Android's
>> system_server to require just to set a tasks timerslack value.
>>
>> So I wanted to ask again if we might consider backing this down to
>> CAP_SYS_NICE, or if we can instead introduce a new CAP_SYS_TIMERSLACK
>> or something to provide the needed in-between capability level.
>
> Adding new capabilities appears to not really be viable (lots of
> threads about this...)
>
> I think the original CAP_SYS_NICE should be fine. A malicious
> CAP_SYS_NICE process can do plenty of insane things, I don't feel like
> the timer slack adds to any realistic risks.

if the result is really as bad as you describe, then that is worse than
the impact of this being CAP_SYS_NICE, and thus SYS_TRACE is maybe the
purist answer, but not the pragmatic best answer; certainly I don't want
to make the overall system security worse.

I wonder how much you want to set the slack; one of the options (and I don't
know how this will work in the code, if it's horrible don't do it)
is to limit how much slack CAP_SYS_NICE can set (say, 50 or 100 msec, e.g. in the order
of a "time slice" or two if Linux had time slices, similar to what nice would do)
while CAP_SYS_TRACE  can set the full 4 seconds.
If it makes the code horrible, don't do it and just do SYS_NICE.