Date: Sat, 16 Jan 2021 08:48:56 -0600 From: Mike Karels <mike@karels.net> To: Mateusz Guzik <mjguzik@gmail.com> Cc: Mariusz Zaborski <oshogbo@freebsd.org>, src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org, Mark Johnston <markj@freebsd.org>, Alex Richardson <arichardson@freebsd.org> Subject: Re: git: aefe30c54371 - main - cat: capsicumize it Message-ID: <202101161448.10GEmuI4095908@mail.karels.net> In-Reply-To: Your message of Sat, 16 Jan 2021 09:12:39 %2B0100. <CAGudoHHZw7WtXobwzKyM2Zj6bsohCkbmaDWDL73gu8kfp=Jj6A@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Mateusz wrote:
> I have to strongly disagree with this change.
> truss -f cat /etc/motd immediately reveals most peculiar overhead
> which comes with it.
> Some examples:
> - pdfork is called 3 times and fork 1 time, spawning 4 processes in tota=
l
> - the file is opened twice:
> 5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00) =3D 5 (0x5)
> 5548: cap_rights_limit(5,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) =3D 0 (0x0)
> 5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00) =3D 7 (0x7)
> 5548: cap_rights_limit(7,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) =3D 0 (0x0)
> - there is an enormous number of sendto/recvfrom instead of everything
> happening in just one go
> Key points:
> - the functionality provided by casper definitely induces way more
> overhead than it should.
> - regardless of the above, I find patching tools like tail and cat in
> this manner to be highly questionable. Ultimately whatever security
> may or may not have been gained it always have to be gauged against
> actual impact and it does not look it is worth it in this case.
> Even if someone was to put cat in capability mode, for something as
> trivial a opening one file, cat could just do it without all the other
> overhead and then enter the sandbox.
> That said, I think this change (and possibly similar changes to other
> tooling) should be reverted. Regardless of what happens here, casper
> needs a lot of work before it is deemed usable.
> My $0,03.
I also question this change. Using capsicum makes sense for something
like tcpdump, which usually runs as root, uses privileged facilities,
and interprets external data that could potentially subvert it in the
worst case. It also has a fairly high startup cost that can be amortized
over its runtime. Cat is nothing like this, so I wonder what the motivati=
on
was for the change. It's not obvious to me that there is any significant
value in capsicumizing, and there are obviously significant costs.
Mike
> On 1/15/21, Mariusz Zaborski <oshogbo@freebsd.org> wrote:
> > The branch main has been updated by oshogbo:
> >
> > URL:
> > https://cgit.FreeBSD.org/src/commit/?id=3Daefe30c5437159a5399bdbc1974d=
6fbf40f2ba0f
> >
> > commit aefe30c5437159a5399bdbc1974d6fbf40f2ba0f
> > Author: Mariusz Zaborski <oshogbo@FreeBSD.org>
> > AuthorDate: 2021-01-15 20:22:29 +0000
> > Commit: Mariusz Zaborski <oshogbo@FreeBSD.org>
> > CommitDate: 2021-01-15 20:23:42 +0000
> >
> > cat: capsicumize it
> >
> > Reviewed by: markj, arichardson
> > Differential Revision: https://reviews.freebsd.org/D28083
<snip>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202101161448.10GEmuI4095908>