From owner-dev-commits-src-all@freebsd.org Sun Jan 17 00:03:20 2021 Return-Path: Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id ACB8C4D0E40; Sun, 17 Jan 2021 00:03:20 +0000 (UTC) (envelope-from oshogbo.vx@gmail.com) Received: from mail-lj1-f172.google.com (mail-lj1-f172.google.com [209.85.208.172]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DJFVv5c96z3LZ5; Sun, 17 Jan 2021 00:03:19 +0000 (UTC) (envelope-from oshogbo.vx@gmail.com) Received: by mail-lj1-f172.google.com with SMTP id u11so14385971ljo.13; Sat, 16 Jan 2021 16:03:19 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4Mzrl53sQR//a/Z/TFYsnbqAHky2bbDxXMEt0GrgCyM=; b=j55MzstOoKeyQ0JYt6SzH9AysBERW6C8E68b5YpBd+3g/4ks3VZ+b14TYrmbtghbVf CI5QIwLEMm8EkPRckzHKplXRv3NTTNxwxtBEP6y33ht+nVCKVZ8uoFMGn94LjqiTz+wG LUFUfvqTyg90acmNJVNUY70v5lXWCtL5HiCvow8xdETrPLrlkKaV8buKQwmMX5YXHLl0 XDFcdnHRIsbocaLpaz4FCaTGOw8Iuhedckr+B7YEu8g58uiSEsUEGcRXvRFrpVQ0y7nl iXKbZwmBJqsLEymUHL6QZG86ZCtIs5QgX8xBG+YvWIOP/A9TJZkAbVfLiTAqDOmQ1ZpJ 7+eQ== X-Gm-Message-State: AOAM530WqUV+ueTWyFFiDuJZp+YUgIw+Vs9KZ6HciWX4gsEwIDgHGoNV 3GENeFRk92yMmGy1x9Gom94Re3SaRCZCRgMySKx05N47jj946A== X-Google-Smtp-Source: ABdhPJzLzEC6vq6pVeBMSgUr+snZ88vkzDB6kho86ab+1mw4JIvfzPSoqvxTYPUNPWvkk8iW7e0XliSytoWyianRHgE= X-Received: by 2002:a05:651c:114:: with SMTP id a20mr7810288ljb.392.1610841797875; Sat, 16 Jan 2021 16:03:17 -0800 (PST) MIME-Version: 1.0 References: <202101161448.10GEmuI4095908@mail.karels.net> <202101161510.10GF9xON022324@slippy.cwsent.com> In-Reply-To: <202101161510.10GF9xON022324@slippy.cwsent.com> From: Mariusz Zaborski Date: Sun, 17 Jan 2021 01:03:25 +0100 Message-ID: Subject: Re: git: aefe30c54371 - main - cat: capsicumize it To: Cy Schubert Cc: mike@karels.net, Mateusz Guzik , src-committers , dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org, Mark Johnston , Alex Richardson Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4DJFVv5c96z3LZ5 X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of oshogbovx@gmail.com designates 209.85.208.172 as permitted sender) smtp.mailfrom=oshogbovx@gmail.com X-Spamd-Result: default: False [-1.00 / 15.00]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; RCPT_COUNT_SEVEN(0.00)[8]; FORGED_SENDER(0.30)[oshogbo@freebsd.org,oshogbovx@gmail.com]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RBL_DBL_DONT_QUERY_IPS(0.00)[209.85.208.172:from]; R_DKIM_NA(0.00)[]; TAGGED_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_NEQ_ENVFROM(0.00)[oshogbo@freebsd.org,oshogbovx@gmail.com]; FROM_HAS_DN(0.00)[]; NEURAL_SPAM_SHORT(1.00)[1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[freebsd.org]; SPAMHAUS_ZRD(0.00)[209.85.208.172:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[209.85.208.172:from]; RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.208.172:from]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[dev-commits-src-all,dev-commits-src-main]; FREEMAIL_CC(0.00)[karels.net,gmail.com,freebsd.org] X-BeenThere: dev-commits-src-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for all branches of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jan 2021 00:03:20 -0000 Thank you for raising your concerns. We discussed that, and for now, we will disable sandboxing in the cat. We will try to measure where the bottlenecks are and try to address them. We should try to sandbox even as simple tools like cat or tail, but not for any cost. If we have a high cost, we may explore other ways of doing it. On Sat, 16 Jan 2021 at 16:10, Cy Schubert wrote: > > In message <202101161448.10GEmuI4095908@mail.karels.net>, Mike Karels > writes: > > Mateusz wrote: > > > I have to strongly disagree with this change. > > > > > truss -f cat /etc/motd immediately reveals most peculiar overhead > > > which comes with it. > > > > > Some examples: > > > - pdfork is called 3 times and fork 1 time, spawning 4 processes in total > > > - the file is opened twice: > > > 5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00) = 5 (0x5) > > > 5548: cap_rights_limit(5,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) = 0 (0x0) > > > 5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00) = 7 (0x7) > > > 5548: cap_rights_limit(7,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) = 0 (0x0) > > > - there is an enormous number of sendto/recvfrom instead of everything > > > happening in just one go > > > > > Key points: > > > - the functionality provided by casper definitely induces way more > > > overhead than it should. > > > - regardless of the above, I find patching tools like tail and cat in > > > this manner to be highly questionable. Ultimately whatever security > > > may or may not have been gained it always have to be gauged against > > > actual impact and it does not look it is worth it in this case. > > > > > Even if someone was to put cat in capability mode, for something as > > > trivial a opening one file, cat could just do it without all the other > > > overhead and then enter the sandbox. > > > > > That said, I think this change (and possibly similar changes to other > > > tooling) should be reverted. Regardless of what happens here, casper > > > needs a lot of work before it is deemed usable. > > > > > My $0,03. > > > > I also question this change. Using capsicum makes sense for something > > like tcpdump, which usually runs as root, uses privileged facilities, > > tcpdump can drop its privileges. Various Linux distros and vendors do this. > I have a patch in my tree that will do this. > > > and interprets external data that could potentially subvert it in the > > worst case. It also has a fairly high startup cost that can be amortized > > over its runtime. Cat is nothing like this, so I wonder what the motivation > > was for the change. It's not obvious to me that there is any significant > > value in capsicumizing, and there are obviously significant costs. > > Agreed. > > > > > Mike > > > -- > Cheers, > Cy Schubert > FreeBSD UNIX: Web: https://FreeBSD.org > NTP: Web: https://nwtime.org > > The need of the many outweighs the greed of the few. > > > > > > > On 1/15/21, Mariusz Zaborski wrote: > > > > The branch main has been updated by oshogbo: > > > > > > > > URL: > > > > https://cgit.FreeBSD.org/src/commit/?id=aefe30c5437159a5399bdbc1974d6fbf4 > > 0f2ba0f > > > > > > > > commit aefe30c5437159a5399bdbc1974d6fbf40f2ba0f > > > > Author: Mariusz Zaborski > > > > AuthorDate: 2021-01-15 20:22:29 +0000 > > > > Commit: Mariusz Zaborski > > > > CommitDate: 2021-01-15 20:23:42 +0000 > > > > > > > > cat: capsicumize it > > > > > > > > Reviewed by: markj, arichardson > > > > Differential Revision: https://reviews.freebsd.org/D28083 > > > > > > > >