From owner-dev-commits-src-main@freebsd.org Sat Jan 16 15:10:09 2021 Return-Path: Delivered-To: dev-commits-src-main@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E643F4E0F3F; Sat, 16 Jan 2021 15:10:09 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DJ1gj1twjz3ty1; Sat, 16 Jan 2021 15:10:08 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from spqr.komquats.com ([70.67.229.168]) by shaw.ca with ESMTPA id 0nDGlbdCTbYg30nDIlGIIA; Sat, 16 Jan 2021 08:10:07 -0700 X-Authority-Analysis: v=2.4 cv=Q4RsX66a c=1 sm=1 tr=0 ts=600301cf a=7AlCcx2GqMg+lh9P3BclKA==:117 a=7AlCcx2GqMg+lh9P3BclKA==:17 a=xqWC_Br6kY4A:10 a=kj9zAlcOel0A:10 a=EmqxpYm9HcoA:10 a=1QTDH3R-AAAA:8 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=EkcXrb_YAAAA:8 a=_2UG1ppqKbt8MebEjyEA:9 a=CjuIK1q_8ugA:10 a=A7PbjfUNzwAiWwc5k9lq:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [IPv6:fc00:1:1:1::5b]) by spqr.komquats.com (Postfix) with ESMTPS id 737CB8E5; Sat, 16 Jan 2021 07:10:01 -0800 (PST) Received: from slippy (localhost [127.0.0.1]) by slippy.cwsent.com (8.16.1/8.16.1) with ESMTP id 10GF9xON022324; Sat, 16 Jan 2021 07:10:00 -0800 (PST) (envelope-from Cy.Schubert@cschubert.com) Message-Id: <202101161510.10GF9xON022324@slippy.cwsent.com> X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7.1 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: mike@karels.net cc: Mateusz Guzik , Mariusz Zaborski , src-committers@freebsd.org, dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org, Mark Johnston , Alex Richardson Subject: Re: git: aefe30c54371 - main - cat: capsicumize it In-reply-to: <202101161448.10GEmuI4095908@mail.karels.net> References: <202101161448.10GEmuI4095908@mail.karels.net> Comments: In-reply-to Mike Karels message dated "Sat, 16 Jan 2021 08:48:56 -0600." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 16 Jan 2021 07:09:59 -0800 X-CMAE-Envelope: MS4xfK8jN9VrElUNMvTbIH38ZoBSiyGFOdIFaXshzxUpXe59ns32YE2SkfpPh96FwZyUyrGjPnWRC3VTHQkY1pBefNxQLILyYj9sKK6ARO4TCi9Xip922LWW 65kxMXbm+7+fEhQ5LqMc/uD3KpiDhrFIQYudI360mb5yhwwqrr48XK7AQjrD1GzqrUCqDsPYB7nHeFHpXgkbANSV61BVI6iFCy+I8gIU95r02Z+Vsoy8UX0R VpQ/XrWR2UxjnQByHBXfLLtR5UGMbOkUI+/5HN9Ds0a1tcrrq5JQFDglcyTznRtb6s6ag7icYfIlOD0cKan7Si8Bx5lfvn5mGohNcIOlKmOCgk3M8t2BOqRy oW9uwKPQRHWvmOSk8kNfFODm0dYjL4SRyclRo3TyUGA0VNrFNSk53vKfbJTjhkfJffk53ErSlyKF1zkuxuBoumM5Ab3q784c02l8Lop3vE4wKpmIlF4= X-Rspamd-Queue-Id: 4DJ1gj1twjz3ty1 X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: dev-commits-src-main@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for the main branch of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jan 2021 15:10:10 -0000 In message <202101161448.10GEmuI4095908@mail.karels.net>, Mike Karels writes: > Mateusz wrote: > > I have to strongly disagree with this change. > > > truss -f cat /etc/motd immediately reveals most peculiar overhead > > which comes with it. > > > Some examples: > > - pdfork is called 3 times and fork 1 time, spawning 4 processes in total > > - the file is opened twice: > > 5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00) = 5 (0x5) > > 5548: cap_rights_limit(5,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) = 0 (0x0) > > 5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00) = 7 (0x7) > > 5548: cap_rights_limit(7,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) = 0 (0x0) > > - there is an enormous number of sendto/recvfrom instead of everything > > happening in just one go > > > Key points: > > - the functionality provided by casper definitely induces way more > > overhead than it should. > > - regardless of the above, I find patching tools like tail and cat in > > this manner to be highly questionable. Ultimately whatever security > > may or may not have been gained it always have to be gauged against > > actual impact and it does not look it is worth it in this case. > > > Even if someone was to put cat in capability mode, for something as > > trivial a opening one file, cat could just do it without all the other > > overhead and then enter the sandbox. > > > That said, I think this change (and possibly similar changes to other > > tooling) should be reverted. Regardless of what happens here, casper > > needs a lot of work before it is deemed usable. > > > My $0,03. > > I also question this change. Using capsicum makes sense for something > like tcpdump, which usually runs as root, uses privileged facilities, tcpdump can drop its privileges. Various Linux distros and vendors do this. I have a patch in my tree that will do this. > and interprets external data that could potentially subvert it in the > worst case. It also has a fairly high startup cost that can be amortized > over its runtime. Cat is nothing like this, so I wonder what the motivation > was for the change. It's not obvious to me that there is any significant > value in capsicumizing, and there are obviously significant costs. Agreed. > > Mike -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org The need of the many outweighs the greed of the few. > > > On 1/15/21, Mariusz Zaborski wrote: > > > The branch main has been updated by oshogbo: > > > > > > URL: > > > https://cgit.FreeBSD.org/src/commit/?id=aefe30c5437159a5399bdbc1974d6fbf4 > 0f2ba0f > > > > > > commit aefe30c5437159a5399bdbc1974d6fbf40f2ba0f > > > Author: Mariusz Zaborski > > > AuthorDate: 2021-01-15 20:22:29 +0000 > > > Commit: Mariusz Zaborski > > > CommitDate: 2021-01-15 20:23:42 +0000 > > > > > > cat: capsicumize it > > > > > > Reviewed by: markj, arichardson > > > Differential Revision: https://reviews.freebsd.org/D28083 > > >