and, yeah, we just verified it breaks a few things. That's good. It's time to get our security all spiffied up :-)
On Thu, Jan 5, 2017 at 10:37 AM ron minnich <[email protected]> wrote: > you don't want to commit this yet. We'll do testing today and let you know > how it goes. > > We do want to commit it at some point. The default hostowner is going to > be nanwan. > > ron > > On Thu, Jan 5, 2017 at 10:31 AM Barret Rhoden <[email protected]> > wrote: > > On 2017-01-05 at 09:35 "Ron Minnich (Gerrit)" > <[email protected]> wrote: > > Ron Minnich has posted comments on this change. ( > > https://akaros-review.googlesource.com/3342 ) > > > > Change subject: capdev: fix iseve check, set initial hostowner to nanwan > > ...................................................................... > > > > > > Patch Set 2: Code-Review+2 > > > > note: this may break things. That's life. We have to do this. > > any idea if this breaks things or not? like ssh, vms, snoopy, etc? > > i would like to hold off on merging this patch until we sort out the > things that it will break. i.e. a patch set consisting of this patch > and whatever is needed to fix what it breaks. right now, is anyone > ever eve? > > iseve() is only used in a few places: > > iseve 76 kern/drivers/dev/capability.c if (iseve() && > c->qid.path == Qhash) > iseve 103 kern/drivers/dev/capability.c if > (!iseve()) > iseve 210 kern/drivers/dev/capability.c if > (!iseve()) > iseve 1111 kern/drivers/dev/cons.c if > (!iseve()) > iseve 1116 kern/drivers/dev/cons.c if > (!iseve()) > iseve 1145 kern/drivers/dev/cons.c if > (!iseve()) > iseve 1201 kern/drivers/dev/cons.c if > (!iseve()) > iseve 418 kern/drivers/dev/proc.c if (iseve()) > iseve 989 kern/include/ns.h int iseve(void); > iseve 427 kern/src/net/devip.c if (omode > & (O_WRITE | O_TRUNC) && !iseve()) > iseve 459 kern/src/net/devip.c if > (strcmp(ATTACHER(c), cv->owner) != 0 && !iseve()) > iseve 615 kern/src/net/devip.c if (!iseve() && > strcmp(ATTACHER(c), cv->owner) != 0) > iseve 998 kern/src/net/devip.c if (!iseve()) > > > the stuff in #ip is related to port permissions, writing to ndb, > snoopy, and ipwstat. for which of those is 'eve' actually important, > and what does the eve check buy us? > > the iseve test in proc is commented out. > > in cons, we have checks related to writing Qtime, Qbintime, reboot, and > commented-out checks in sysctl and qswap. Same as with #ip, what's the > deal with permissions there? > > so far, it looks like eve is used as a limited form of 'root' - you're > allowed to do a set of things beyond a regular user (special ports, > reboot, change the time). how does that fit in with our model? > > at the very least, we'd probably want to set the initial process's > username to "nanwan" or whatever will pass the iseve() check, and then > other processes can downgrade their capabilities with the #cap device. > > barret > > -- > You received this message because you are subscribed to the Google Groups > "Akaros" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- You received this message because you are subscribed to the Google Groups "Akaros" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/d/optout.
