From owner-dev-commits-src-all@freebsd.org Sun Jan 17 00:09:44 2021 Return-Path: Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 40DD54D13C9 for ; Sun, 17 Jan 2021 00:09:44 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DJFfJ0mmXz3LgQ for ; Sun, 17 Jan 2021 00:09:43 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: by mail-qt1-x82a.google.com with SMTP id d15so3441278qtw.12 for ; Sat, 16 Jan 2021 16:09:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=BV0+Uxs51owEmEQxj7cpUjsZr8laEr4xOlswAgvqoKE=; b=gbKwYiFE95w0/u69AJdk1ZjRs0EDgDSFDMcmy6XJvxJyJ1w9k71IgKW23/Pb0VmWYv GcUgIcu6FXYA4lyHfEKbGsZaNFMPI43ZxiU01DDrVDaP0Pr5jpxeUoCpDi+WZ5Sel92R QO/w3Z0nftv24KMoZ1VnH3AqB2mjVdJSW18KECcG6ToaGGJ0uT6wOvyJxz6YZm0hfARq 8yiSkU7BVSQF/92zgTxulMILbBJOGcUdpOyVyR+P8YJTo2sP4doOyzDOcqEyo6CAuipv Wj9KXDTnws4bn8phJv8IhcxVeCSMah6K6oK1mV+MGmWMiT00zrIZkbPQXFzBiAAtVLF5 6esg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=BV0+Uxs51owEmEQxj7cpUjsZr8laEr4xOlswAgvqoKE=; b=s5bvBrluyTwPP32aKOojT38ze4LK1mlO6WirM2vNMB0Ht4K8UoC5Qe57PnPZG2RAMw Oa4TVT2Z64YtwxWa90Ri2C4zp1mpwQP2USV6Cbzw/46d3JQXNhglWCb3QxewN53BuF1W kt7md8kKeuT53hVplAp2xI+FYw57yLqoTwvVzhZEybAlGL78JnVV6Hv13DElY3Z3gPYf Z+kldMp3ntl9Y6tTFkoL/ZJAdTJAATPLLOAGCq/oANp4uzD6eXy4yf3XZrHbCkhWZI9Q RvjFTqEUvoKtD/WHnzcr9MVh/GL6+tHJNzZf7gD3b7bcenWxCUmhRUSU5T++hDShbF9Y f2iw== X-Gm-Message-State: AOAM531nuskUB98mHoXPq9pklVRcxdpvoo2HZi82AI0aQet3oY7LdKez 9SLGzB1r4RAj/FSd5lsqYBvsXA== X-Google-Smtp-Source: ABdhPJyn3NOoxVnyWfctyCbh33riY/31SL7NCYD0//Hfq60jIf+r7ZRJa+WjCWJjGJyUWdMtqSqk6g== X-Received: by 2002:ac8:c8c:: with SMTP id n12mr2588367qti.339.1610842182969; Sat, 16 Jan 2021 16:09:42 -0800 (PST) Received: from mutt-hbsd (pool-100-16-222-53.bltmmd.fios.verizon.net. [100.16.222.53]) by smtp.gmail.com with ESMTPSA id u10sm3378289qtb.24.2021.01.16.16.09.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 16 Jan 2021 16:09:42 -0800 (PST) Date: Sat, 16 Jan 2021 19:09:41 -0500 From: Shawn Webb To: Mariusz Zaborski Cc: Cy Schubert , mike@karels.net, Mateusz Guzik , src-committers , dev-commits-src-all@freebsd.org, dev-commits-src-main@freebsd.org, Mark Johnston , Alex Richardson Subject: Re: git: aefe30c54371 - main - cat: capsicumize it Message-ID: <20210117000941.4nxmpmamdd3out7i@mutt-hbsd> X-Operating-System: FreeBSD mutt-hbsd 13.0-CURRENT-HBSD FreeBSD 13.0-CURRENT-HBSD X-PGP-Key: http://pgp.mit.edu/pks/lookup?op=vindex&search=0xFF2E67A277F8E1FA References: <202101161448.10GEmuI4095908@mail.karels.net> <202101161510.10GF9xON022324@slippy.cwsent.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="aopefwxa3yjam5zg" Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 4DJFfJ0mmXz3LgQ X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: dev-commits-src-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for all branches of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jan 2021 00:09:44 -0000 --aopefwxa3yjam5zg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Also to note: Something about this change causes a kernel panic under heavy load (poudriere running 20 jobs with poudriere configured to use tmpfs for the entire job). Screenshot of kernel panic: https://photos.app.goo.gl/dXBpW7sbn1iWQaJj9 On Sun, Jan 17, 2021 at 01:03:25AM +0100, Mariusz Zaborski wrote: > Thank you for raising your concerns. We discussed that, and for now, > we will disable sandboxing in the cat. We will try to measure where > the bottlenecks are and try to address them. >=20 > We should try to sandbox even as simple tools like cat or tail, but not f= or any > cost. If we have a high cost, we may explore other ways of doing it. >=20 > On Sat, 16 Jan 2021 at 16:10, Cy Schubert wro= te: > > > > In message <202101161448.10GEmuI4095908@mail.karels.net>, Mike Karels > > writes: > > > Mateusz wrote: > > > > I have to strongly disagree with this change. > > > > > > > truss -f cat /etc/motd immediately reveals most peculiar overhead > > > > which comes with it. > > > > > > > Some examples: > > > > - pdfork is called 3 times and fork 1 time, spawning 4 processes in= total > > > > - the file is opened twice: > > > > 5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00) =3D 5 (0x5) > > > > 5548: cap_rights_limit(5,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) =3D 0 (= 0x0) > > > > 5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00) =3D 7 (0x7) > > > > 5548: cap_rights_limit(7,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) =3D 0 (= 0x0) > > > > - there is an enormous number of sendto/recvfrom instead of everyth= ing > > > > happening in just one go > > > > > > > Key points: > > > > - the functionality provided by casper definitely induces way more > > > > overhead than it should. > > > > - regardless of the above, I find patching tools like tail and cat = in > > > > this manner to be highly questionable. Ultimately whatever security > > > > may or may not have been gained it always have to be gauged against > > > > actual impact and it does not look it is worth it in this case. > > > > > > > Even if someone was to put cat in capability mode, for something as > > > > trivial a opening one file, cat could just do it without all the ot= her > > > > overhead and then enter the sandbox. > > > > > > > That said, I think this change (and possibly similar changes to oth= er > > > > tooling) should be reverted. Regardless of what happens here, casper > > > > needs a lot of work before it is deemed usable. > > > > > > > My $0,03. > > > > > > I also question this change. Using capsicum makes sense for something > > > like tcpdump, which usually runs as root, uses privileged facilities, > > > > tcpdump can drop its privileges. Various Linux distros and vendors do t= his. > > I have a patch in my tree that will do this. > > > > > and interprets external data that could potentially subvert it in the > > > worst case. It also has a fairly high startup cost that can be amort= ized > > > over its runtime. Cat is nothing like this, so I wonder what the mot= ivation > > > was for the change. It's not obvious to me that there is any signifi= cant > > > value in capsicumizing, and there are obviously significant costs. > > > > Agreed. > > > > > > > > Mike > > > > > > -- > > Cheers, > > Cy Schubert > > FreeBSD UNIX: Web: https://FreeBSD.org > > NTP: Web: https://nwtime.org > > > > The need of the many outweighs the greed of the few. > > > > > > > > > > > On 1/15/21, Mariusz Zaborski wrote: > > > > > The branch main has been updated by oshogbo: > > > > > > > > > > URL: > > > > > https://cgit.FreeBSD.org/src/commit/?id=3Daefe30c5437159a5399bdbc= 1974d6fbf4 > > > 0f2ba0f > > > > > > > > > > commit aefe30c5437159a5399bdbc1974d6fbf40f2ba0f > > > > > Author: Mariusz Zaborski > > > > > AuthorDate: 2021-01-15 20:22:29 +0000 > > > > > Commit: Mariusz Zaborski > > > > > CommitDate: 2021-01-15 20:23:42 +0000 > > > > > > > > > > cat: capsicumize it > > > > > > > > > > Reviewed by: markj, arichardson > > > > > Differential Revision: https://reviews.freebsd.org/D28083 > > > > > > > > > > > > > > _______________________________________________ > dev-commits-src-all@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all > To unsubscribe, send any mail to "dev-commits-src-all-unsubscribe@freebsd= =2Eorg" --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Sha= wn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --aopefwxa3yjam5zg Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmADgEIACgkQ/y5nonf4 4forAg//bIpolvsqbbVoQCUbyqvXTh/bGScbu6K3fcDOWNoGjwefBvZmBFYpSjiX 98LWV+zjSv+fnKVN7qvxYiYBmTO4XwJssCBQqu7TB4bKdsXSYyqhR3pEViK40sLF IYXWfmHZ8ZbBctW87r+gOWDIrI8b5ZfBYWbFh7b0MVOQhiTsZePbdr7rgAjSaOgv 4tPhKtsf3yXVNuvRaaBYOoWxooOahGQSXM+9M3ibFDq/Yhe62rVTAINgS6QrByKu EYflHXpZEV4W41KhOXI8S8to2brD31Cp80MxhInft54Otv2aEh82nLnhaG1gF8l/ CKgMBl7lUAxLWknW7of82AUAI+4NxzAWyk0QHGDejd8BhLxnPwFeaTU2xrRrQsLT 19+IyjP/A84WiDj29oDfxw0Q5VO4HYzHCbvJl1gIiWeTbosdfWDdbRwWLQSH/2uu svZW9vXeHZwvuK/amCPEGh/gsgjK8vF0PcHguRFQPItjRj82Pp4TmDAterP2UDZM dmwsqcI0pGetryeUgMpHXv8xSgPFRnFy/WkxNEmIPGuH42VIbrcOv3FMJRNCPPYB OwN8JAMDXU3RCNVgGZrllKd8hwB+0/4MLjaQX3BoSaowEZPa61HdnWv2cSMc3BXp hB7npq+vj6rchszAiYVq7apbtusj09tRx6G9pF1Rw5hzCQxLWYs= =0roA -----END PGP SIGNATURE----- --aopefwxa3yjam5zg--