From owner-dev-commits-src-main@freebsd.org Sat Jan 16 14:49:05 2021 Return-Path: Delivered-To: dev-commits-src-main@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 245F04E0838; Sat, 16 Jan 2021 14:49:05 +0000 (UTC) (envelope-from mike@karels.net) Received: from mail.karels.net (mail.karels.net [216.160.39.52]) by mx1.freebsd.org (Postfix) with ESMTP id 4DJ1CM5v0zz3tHk; Sat, 16 Jan 2021 14:49:03 +0000 (UTC) (envelope-from mike@karels.net) Received: from mail.karels.net (localhost [127.0.0.1]) by mail.karels.net (8.15.2/8.15.2) with ESMTP id 10GEmuI4095908; Sat, 16 Jan 2021 08:48:56 -0600 (CST) (envelope-from mike@karels.net) Message-Id: <202101161448.10GEmuI4095908@mail.karels.net> To: Mateusz Guzik cc: Mariusz Zaborski , src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org, Mark Johnston , Alex Richardson From: Mike Karels Reply-to: mike@karels.net Subject: Re: git: aefe30c54371 - main - cat: capsicumize it In-reply-to: Your message of Sat, 16 Jan 2021 09:12:39 +0100. MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <95906.1610808536.1@mail.karels.net> Content-Transfer-Encoding: quoted-printable Date: Sat, 16 Jan 2021 08:48:56 -0600 X-Rspamd-Queue-Id: 4DJ1CM5v0zz3tHk X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@karels.net designates 216.160.39.52 as permitted sender) smtp.mailfrom=mike@karels.net X-Spamd-Result: default: False [-3.19 / 15.00]; HAS_REPLYTO(0.00)[mike@karels.net]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[mike]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:216.160.39.52]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; REPLYTO_ADDR_EQ_FROM(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[216.160.39.52:from]; DMARC_NA(0.00)[karels.net]; SPAMHAUS_ZRD(0.00)[216.160.39.52:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.994]; RCPT_COUNT_SEVEN(0.00)[7]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FREEMAIL_TO(0.00)[gmail.com]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:209, ipnet:216.160.36.0/22, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[dev-commits-src-all,dev-commits-src-main] X-BeenThere: dev-commits-src-main@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for the main branch of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jan 2021 14:49:05 -0000 Mateusz wrote: > I have to strongly disagree with this change. > truss -f cat /etc/motd immediately reveals most peculiar overhead > which comes with it. > Some examples: > - pdfork is called 3 times and fork 1 time, spawning 4 processes in tota= l > - the file is opened twice: > 5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00) =3D 5 (0x5) > 5548: cap_rights_limit(5,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) =3D 0 (0x0) > 5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00) =3D 7 (0x7) > 5548: cap_rights_limit(7,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) =3D 0 (0x0) > - there is an enormous number of sendto/recvfrom instead of everything > happening in just one go > Key points: > - the functionality provided by casper definitely induces way more > overhead than it should. > - regardless of the above, I find patching tools like tail and cat in > this manner to be highly questionable. Ultimately whatever security > may or may not have been gained it always have to be gauged against > actual impact and it does not look it is worth it in this case. > Even if someone was to put cat in capability mode, for something as > trivial a opening one file, cat could just do it without all the other > overhead and then enter the sandbox. > That said, I think this change (and possibly similar changes to other > tooling) should be reverted. Regardless of what happens here, casper > needs a lot of work before it is deemed usable. > My $0,03. I also question this change. Using capsicum makes sense for something like tcpdump, which usually runs as root, uses privileged facilities, and interprets external data that could potentially subvert it in the worst case. It also has a fairly high startup cost that can be amortized over its runtime. Cat is nothing like this, so I wonder what the motivati= on was for the change. It's not obvious to me that there is any significant value in capsicumizing, and there are obviously significant costs. Mike > On 1/15/21, Mariusz Zaborski wrote: > > The branch main has been updated by oshogbo: > > > > URL: > > https://cgit.FreeBSD.org/src/commit/?id=3Daefe30c5437159a5399bdbc1974d= 6fbf40f2ba0f > > > > commit aefe30c5437159a5399bdbc1974d6fbf40f2ba0f > > Author: Mariusz Zaborski > > AuthorDate: 2021-01-15 20:22:29 +0000 > > Commit: Mariusz Zaborski > > CommitDate: 2021-01-15 20:23:42 +0000 > > > > cat: capsicumize it > > > > Reviewed by: markj, arichardson > > Differential Revision: https://reviews.freebsd.org/D28083