Date: Sat, 16 Jan 2021 07:09:59 -0800 From: Cy Schubert <Cy.Schubert@cschubert.com> To: mike@karels.net Cc: Mateusz Guzik <mjguzik@gmail.com>, Mariusz Zaborski <oshogbo@freebsd.org>, src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org, Mark Johnston <markj@freebsd.org>, Alex Richardson <arichardson@freebsd.org> Subject: Re: git: aefe30c54371 - main - cat: capsicumize it Message-ID: <202101161510.10GF9xON022324@slippy.cwsent.com> In-Reply-To: <202101161448.10GEmuI4095908@mail.karels.net> References: <202101161448.10GEmuI4095908@mail.karels.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <202101161448.10GEmuI4095908@mail.karels.net>, Mike Karels writes: > Mateusz wrote: > > I have to strongly disagree with this change. > > > truss -f cat /etc/motd immediately reveals most peculiar overhead > > which comes with it. > > > Some examples: > > - pdfork is called 3 times and fork 1 time, spawning 4 processes in total > > - the file is opened twice: > > 5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00) = 5 (0x5) > > 5548: cap_rights_limit(5,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) = 0 (0x0) > > 5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00) = 7 (0x7) > > 5548: cap_rights_limit(7,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) = 0 (0x0) > > - there is an enormous number of sendto/recvfrom instead of everything > > happening in just one go > > > Key points: > > - the functionality provided by casper definitely induces way more > > overhead than it should. > > - regardless of the above, I find patching tools like tail and cat in > > this manner to be highly questionable. Ultimately whatever security > > may or may not have been gained it always have to be gauged against > > actual impact and it does not look it is worth it in this case. > > > Even if someone was to put cat in capability mode, for something as > > trivial a opening one file, cat could just do it without all the other > > overhead and then enter the sandbox. > > > That said, I think this change (and possibly similar changes to other > > tooling) should be reverted. Regardless of what happens here, casper > > needs a lot of work before it is deemed usable. > > > My $0,03. > > I also question this change. Using capsicum makes sense for something > like tcpdump, which usually runs as root, uses privileged facilities, tcpdump can drop its privileges. Various Linux distros and vendors do this. I have a patch in my tree that will do this. > and interprets external data that could potentially subvert it in the > worst case. It also has a fairly high startup cost that can be amortized > over its runtime. Cat is nothing like this, so I wonder what the motivation > was for the change. It's not obvious to me that there is any significant > value in capsicumizing, and there are obviously significant costs. Agreed. > > Mike -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org NTP: <cy@nwtime.org> Web: https://nwtime.org The need of the many outweighs the greed of the few. > > > On 1/15/21, Mariusz Zaborski <oshogbo@freebsd.org> wrote: > > > The branch main has been updated by oshogbo: > > > > > > URL: > > > https://cgit.FreeBSD.org/src/commit/?id=aefe30c5437159a5399bdbc1974d6fbf4 > 0f2ba0f > > > > > > commit aefe30c5437159a5399bdbc1974d6fbf40f2ba0f > > > Author: Mariusz Zaborski <oshogbo@FreeBSD.org> > > > AuthorDate: 2021-01-15 20:22:29 +0000 > > > Commit: Mariusz Zaborski <oshogbo@FreeBSD.org> > > > CommitDate: 2021-01-15 20:23:42 +0000 > > > > > > cat: capsicumize it > > > > > > Reviewed by: markj, arichardson > > > Differential Revision: https://reviews.freebsd.org/D28083 > <snip> > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202101161510.10GF9xON022324>