[Toybox] Adding LSM support to mkdir.
Rob Landley
rob at landley.net
Thu May 21 21:22:28 PDT 2015
On Wed, May 20, 2015 at 8:46 AM, José Bollo <jobol at nonadev.net> wrote:
> Le mardi 19 mai 2015 à 23:31 -0500, Rob Landley a écrit :
>> Looking at the smack-10 tree ala:
>>
>> commit cbc95a1a00ae0a1a806e7cc241cdf7b821ee4951
>> Author: José Bollo <jose.bollo at open.eurogiciel.org>
>> Date: Mon May 11 18:53:12 2015 +0200
>>
>> mkdir: Add -Z option
>>
>> Specifically this bit:
>>
>> - for (s=toys.optargs; *s; s++)
>> + for (s=toys.optargs; *s; s++) {
>> if (mkpathat(AT_FDCWD, *s, mode, toys.optflags|1))
>> perror_msg("'%s'", *s);
>> + else if (CFG_MKDIR_SECURITY && (toys.optflags & FLAG_Z)) {
>> + if (security_set_context(*s, TT.arg_context) < 0) {
>> + rmdir(*s);
>> + error_exit("Unable to create directory '%s' with '%s' as
>> context.", *s,
>> + }
>> + }
>> + }
>>
>> Isn't this racy? You create the directory without a label, then come along
>> at some arbitrary point later and add one? Shouldn't we at least mkpathat()
>> with mode 000, add the label, and then chmod()?
>
> Hello,
>
> You are right. See
> https://msdn.microsoft.com/en-us/library/windows/desktop/aa363855%
> 28v=vs.85%29.aspx too get an other point de vue.
You are pointing me at the microsoft developer network article to
explain how to implement a linux thing.
No. Just no.
(This entire subsystem is a bad idea.)
>> Or does it not work that way with this stuff? (I dunno if we can add a label
>> to a directory we can't write to. I dunno we can chmod it after we've stuck
>> a label on it. Maybe the race condition is inherent in the design because
>> Stewart's bosses were more interested in gaining perpetual access to
>> everybody's infrastructure than actually securing it?)
>
> yes
I don't know what "yes" means here. Yes we should be doing chmod after
setting the label, or use we _can't_ do chmod after setting the label?
>> Also, I take it setcontext still isn't setting errno to anything useful?
>
> alas
>
>> Sigh. These are very rough-edged APIs. Nobody's ever gone through to clean
>> them up on the kernel side. (I dunno if this is the same "How dare newbies
>> like you look through openssl to find heartbleed? Keep your ignorant paws
>> off our magic code mortals are not meant to understand" thing as the crypto
>> world, or if it's just nobody who isn't being paid to work on this cares
>> about this bureaucratic infrastructure for filling out forms in triplicate.
>> Possibly a combination of the two.)
>>
>> Oh, don't error_exit() in the middle of looping on optargs, just error_msg()
>> and that'll set toys.exitval to 1 if it's not already set to a nonzero value
>> so when we _do_ exit it returns an error value. Otherwise you don't process
>> the full list, and you're supposed to.
>
> you are right. thank you for the tip.
>
>>
>> Rob
>>
>> P.S. I suspect I have slightly more sympathy for smack than for other Linux
>> Sado-Masochism plugins because at least they're not using "security"
>> infrastructure developed by the NSA _after_ the Snowden revelations*. Then
>> again rolling your own security seems like rolling your own crypto, so...
>> Either way I still consider this stuff mostly for show, as in the "S" in
>> the middle of TSA, NSA, and LSM all have the exact same meaning as far as
>> I'm concerned, and are of about as much real-world use.
>
> Who are nasty people and how they sadly influence our everyday life?
TSA is the "Transportation Security Administration", I.E. the mall
cops at airports who confiscate the water bottle the previous flight
gave you when you switch planes.
Security expert Bruce Schneier has written several excellent articles
describing what an utter waste of time these clowns are, see the first
four hits of:
https://www.google.com/search?q=bruce+schneier+tsa for example.
Also see Adam Savage of mythbusters describing at wootstock how he
_accidentally_ went through TSA security carrying a couple of two foot
long knives he'd forgotten about, and didn't notice until he arrived
at his destination:
https://www.youtube.com/watch?v=q3yaqq9Jjb4
NSA is the "National Security Administration", the voyeuristic nuts
who tap everybody's phone because Darth Cheney thought the KGB had the
right idea:
http://www.ted.com/talks/edward_snowden_here_s_how_we_take_back_the_internet?language=en
And like 37 other links I can send you if you really care.
LSM is "Linux Security Modules" and I was pointing out the same word
is in the middle of all three acronyms, and the three seem
approximately as useful.
Clay Shirky had a nice video talking about how institutions move from
whatever their original goal was to "self preservation" (of the
institution) as their primary goal:
http://www.youtube.com/watch?v=sPQViNNOAkw
Here's a writeup somebody did about that:
http://kk.org/thetechnium/2010/04/the-shirky-prin/
I see Linux Security Modules as serving the purpose of absorbing
corporate development dollars, not actually improving the net security
of any system they're involved with.
>> But I'm trying very hard not to let this influence my technical judgement.
>> "I am not the target audience for this infrastructure, and the people who
>> need it care deeply about it." (Whether what they need it for is to
>> placate middle management or justify budgetary expenditures or show nominal
>> compliance with a bureaucratic standard is none of my business: they
>> can't deploy the software without it. "Something must be done, this is
>> something, therefore we must do it.")
>>
>> On the one hand, it doesn't seem to be important to its target audience
>> whether it actually _works_ (as long as it _seems_ to work). On the other
>> hand, if toybox is going to have infrastructure I want it to be the best
>> version of that infrastructure it can be. If we're gonna do it, we do it
>> right.
>>
>> Alas, all my instincts say that doing it right in this case involves not
>> going there in the first place, and we've already burned that bridge, so
>> there's a certain amount of "flying blind on a rocketcycle"** going on here.
>> I do not know how to fix this, on at least two levels.
>
> If you were radical you had turned off C programming language and POSIX.
> That is the way I'm doing toys.
> https://fosdem.org/2015/schedule/event/flk/
Eh, I read about Rust, I read about Go, I read about objective C back
when that happened, I actually used C++ until it grew templates and
turned into something that wasn't "C with classes" anymore...
And I just don't care about any of them.
C is a portable assembly language with minimal abstraction, delivering
the benefits of simplicity and transparency. Scripting languages like
lua and python and ruby and 37 others provide opaque abstractions that
_work_, insulating you from resource tracking and bounds checking and
caring whether your key/value association container types are
implemented as a tree or a hash table or what... Trying to mix the two
modes means the result sucks, every single time so far.
Here's a short writeup I did on that:
http://lwn.net/Articles/504751/
Here's a longer, detailed, multipart writeup I did:
http://landley.net/notes-2011.html#16-03-2011
http://landley.net/notes-2011.html#19-03-2011
http://landley.net/notes-2011.html#20-03-2011
I have _opinions_ on that. :)
Rob
1432268548.0
More information about the Toybox
mailing list