Re: Is sendfile all that sexy?

2001-01-15 Thread Florian Weimer
Gerhard Mack [EMAIL PROTECTED] writes: PS I wish someone would explain to me why distros insist on using WU instead given it's horrid security record. The security record of Proftpd is not horrid, but embarrassing. They once claimed to have fixed vulnerability, but in fact introduced

Re: hotmail not dealing with ECN

2001-01-26 Thread Florian Weimer
system which is safe or a system which maximizes interoperability at the cost of potential risks. IMHO, the first choice is much more appropriate than the second one. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://cert.uni-st

Re: Modprobe local root exploit

2000-11-14 Thread Florian Weimer
passing the parameter down to modprobe, or in modprobe itself. Everything else is too error-prone. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898

Re: PROBLEM: I/O system call never returns if file desc is closed in the

2001-06-06 Thread Florian Weimer
conditions if more than one thread is creating file descriptors? I think you can only do that under very special circumstances, and it definitely requires some synchronization. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://cert.uni-stuttgart.de/ RUS

Re: PROBLEM: I/O system call never returns if file desc is closed in the

2001-06-07 Thread Florian Weimer
Alexander Viro [EMAIL PROTECTED] writes: On 7 Jun 2001, Florian Weimer wrote: Matthias Urlichs [EMAIL PROTECTED] writes: Select is defined as to return, with the appropriate bit set, if/when a nonblocking read/write on the file descriptor won't block. You'd get EBADF

Re: [CHECKER] security rules? (and 2.4.5-ac4 security bug)

2001-06-08 Thread Florian Weimer
() is broken in the RANDOM_UUID case. It calls copy_to_user() on table-data, which is always NULL. -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898

Flushing buffer and page cache

2001-02-17 Thread Florian Weimer
are not flushed, the computer won't see the updates. (Synchronization is done manually, so it's not an issue---trust me, I know what I'm doing. ;-) Kernel version doesn't matter. ;-) -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://cert.uni-stuttgart.de

Re: Is this the ultimate stack-smash fix?

2001-02-17 Thread Florian Weimer
. Fortunately, there is a number of other programming languages out there which do permit proper bounds checking on arrays (and have strong, static typing and other gizmos which make shooting yourself into the foot unintentionally a bit more difficult). -- Florian Weimer[EMAIL

Re: ZFS with Linux: An Open Plea

2007-04-17 Thread Florian Weimer
* Theodore Tso: we can continue trying to innovate around better filesystem and LVM storage technologies, as opposed to trying to chase the ZFS tail lights. Indeed. Here's a gem from the official ZFS FAQ: | What can I do if ZFS panics on every boot? | | ZFS is designed to survive

Re: more than 65535 outbound connections

2007-03-09 Thread Florian Weimer
i read on the web that terry lambert has got 1.6 million simultaneous connection ? how is the way it is done. Multiple IP addresses, I guess. -- Florian Weimer[EMAIL PROTECTED] BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1

Re: [PATCH] Undo some of the pseudo-security madness

2007-02-24 Thread Florian Weimer
* Samium Gromoff: Lisp environments can produce standalone executables If you've got a stand-alone executable, you don't need MAP_FIXED. The ELF loader maps the program at a fixed address anyway (at least on i386 and x86_64, I haven't checked others). AFAIK, PolyML has recently made the

Re: [PATCH] Undo some of the pseudo-security madness

2007-02-24 Thread Florian Weimer
Randomisation has nothing to do with C. In fact from a C perspective the compiler and linker do a lot of work to deal with ELF and loading code at arbitary addresses for dynamic linking and the like, not the user and not as language constructs. Perhaps the Lisp universe should wake up and

Re: [PATCH] Undo some of the pseudo-security madness

2007-02-24 Thread Florian Weimer
* Samium Gromoff: Lisp environments can produce standalone executables If you've got a stand-alone executable, you don't need MAP_FIXED. The ELF loader maps the program at a fixed address anyway (at least on i386 and x86_64, I haven't checked others). Not so. The thing is that the

Re: [PATCH 1/4] stringbuf: A string buffer implementation

2007-10-24 Thread Florian Weimer
* Matthew Wilcox: +struct stringbuf { + char *s; + int alloc; + int len; +}; I think alloc and len should be unsigned (including some return values in the remaining patch). - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL

Re: Linux 2.6.22.18

2008-02-12 Thread Florian Weimer
* Greg KH: the logic is a little different in 2.6.22 and earlier in regards to this area of code. This way we are safer. Your patch doesn't include the CVE-2006-0010 hunk. Is this because get_user() implies an access_ok() check (while __copy_from_user() obviously does not)? -- To unsubscribe

Re: [RFC] Second attempt at kernel secure boot support

2012-11-05 Thread Florian Weimer
* James Bottomley: Right, but what I'm telling you is that by deciding to allow automatic first boot, you're causing the windows attack vector problem. You could easily do a present user test only on first boot which would eliminate it. Apparently, the warning will look like this:

Re: [RFC] Second attempt at kernel secure boot support

2012-11-05 Thread Florian Weimer
* Eric W. Biederman: If windows is not present on a system linux can not be used to boot a compromised version of windows without user knowledge because windows is not present. Interesting idea. Unfortunately, it is very hard to detect reliably that Windows is not present from the

Re: [RFC] Second attempt at kernel secure boot support

2012-11-06 Thread Florian Weimer
* Chris Friesen: On 11/06/2012 01:56 AM, Florian Weimer wrote: Personally, I think the only way out of this mess is to teach users how to disable Secure Boot. If you're going to go that far, why not just get them to install a RedHat (or SuSE, or Ubuntu, or whoever) key and use that instead

Re: [RFC] Second attempt at kernel secure boot support

2012-11-06 Thread Florian Weimer
* Matthew Garrett: I'm not sure why you think that Fedora PXE installs will automatically wipe disks - they'll do whatever Kickstart tells them to do. Or what the referenced initrd contains (which is not signed, for obvious reasons). The point is that the bootloader is signed by Fedora does

Re: [PATCH 00/23] per device dirty throttling -v8

2007-08-04 Thread Florian Weimer
* Andrew Morton: The easy preventive is to mount with data=writeback. Maybe that should have been the default. The documentation I could find suggests that this may lead to a security weakness (old data in blocks of a file that was grown just before the crash leaks to a different user). XFS

Re: [PATCH 00/23] per device dirty throttling -v8

2007-08-05 Thread Florian Weimer
* Andrew Morton: XFS overwrites that data with zeros upon reboot, which tends to irritate users when it happens. yup. From this point of view, data=ordered doesn't seem too bad. If your computer is used by multiple users who don't trust each other, sure. That covers, what? About 2% of

Re: Kernel SCM saga..

2005-04-08 Thread Florian Weimer
* Matthias Andree: commiter_name VARCHAR(32) NOT NULL CHECK(commiter_name != ''), commiter_email VARCHAR(32) NOT NULL CHECK(commiter_email != ''), The length is too optimistic and insufficient to import the current BK stuff. I'd vote for 64 or at

Re: Kernel SCM saga..

2005-04-08 Thread Florian Weimer
* Jon Smirl: On Apr 8, 2005 2:14 PM, Linus Torvalds [EMAIL PROTECTED] wrote: How do you replicate your database incrementally? I've given you enough clues to do it for git in probably five lines of perl. Efficient database replication is achieved by copying the transaction logs and

Re: Kernel SCM saga..

2005-04-08 Thread Florian Weimer
* Chris Wedgwood: It doesn't matter so much for the cached case, but it _does_ matter for the uncached one. Doing the minimal stat cold-cache here is about 6s for local disk. Does sorting by inode number make a difference? - To unsubscribe from this list: send the line unsubscribe

Re: Kernel SCM saga..

2005-04-09 Thread Florian Weimer
* David Lang: Databases supporting replication are called high end. You forgot the cats dance around the network this issue involves. And Postgres (which is Free in all senses of the word) is high end by this definition. I'm not aware of *any* DBMS, commercial or not, which can perform

Re: GIT license (Re: Re: Re: Re: Re: [ANNOUNCE] git-pasky-0.1)

2005-04-11 Thread Florian Weimer
* Ingo Molnar: is there any fundamental problem with going with v2 right now, and then once v3 is out and assuming it looks ok, all newly copyrightable bits (new files, rewrites, substantial contributions, etc.) get a v3 copyright? (and the collection itself would be v3 too) That method

Re: GIT license (Re: Re: Re: Re: Re: [ANNOUNCE] git-pasky-0.1)

2005-04-11 Thread Florian Weimer
* Petr Baudis: Almost certainly, v3 will be incompatible with v2 because it adds further restrictions. This means that your proposal would result in software which is not redistributable by third parties. Hmm, what would be actually the point in introducing further restrictions? Anyone who

Re: Development Model

2005-04-19 Thread Florian Weimer
* Chuck Wolber: Has the Linux Kernel reached a point where the majority of developers feel that (at least for now) no *MAJOR* rip it out, stomp on it, burn it and start over parts of the kernel exist any longer? The IP stack is likely to see some development activity, at leat there are some

Unspecified remote crash in the IP forwarding path (2.6 only)

2005-02-15 Thread Florian Weimer
Ubuntu Security Notice USN-82-1 mentions a remote crash in the IP forwarding path. Quote from the Ubuntu security advisory (apparently, no CVE name has been assigned so far): | http://oss.sgi.com/archives/netdev/2005-01/msg01036.html: | | David Coulson noticed a design flaw in the

Re: [BK] upgrade will be needed

2005-02-17 Thread Florian Weimer
* Geert Uytterhoeven: Easy, start working for OSDL, then start hacking arch or whatever. Puff, you are his coworker, you are competing with Larry, Linus license goes away. I don't know whether the kernel hackers that work for IBM use the `free' version of BK or not, but if they do,

Re: Linux 2.6.13-rc2

2005-07-06 Thread Florian Weimer
* Linus Torvalds: Ok, -rc3 is pretty small, Is it -rc2 or -rc3? (Makefile and log message don't agree, either.) - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at

Re: [MC] [CHECKER] Do ext2, jfs and reiserfs respect mount -o sync/dirsync option?

2005-03-19 Thread Florian Weimer
* Bernd Eckenfels: In article [EMAIL PROTECTED] you wrote: 3. I open a file w/o O_SYNC, issue a bunch of writes, then call ioctl(FIOASYNC) to set the fd sync, then issure a second set of writes. Only the second set of writes are synchronous? I also am curious if one can open a file, write

Re: security issue: hard disk lock

2005-04-04 Thread Florian Weimer
* Jonas Diemer: What do you think of this? I think that these days, the underlying assumption (software cannot destroy hardware, and if it can, we have a problem) is simply no longer valid. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to

Re: [PATCH] OpenBSD Networking-related randomization port

2005-01-29 Thread Florian Weimer
* Lorenzo Hernández García-Hierro: As it's impact is minimal (in performance and development/maintenance terms), I recommend to merge it, as it gives a basic prevention for the so-called system fingerprinting (which is used most by kids to know how old and insecure could be a target system,

[OT] Decoding machine check exceptions on AMD Athlon XP

2005-02-04 Thread Florian Weimer
One of my machines is running into an uncorrectable machine check exception. The MCA error code is 0x152, but AMD's documentation (AMD64 Architecture Programmer's Manual Volume 2: System Programming) only contains a self-reference and no actual explanation of the error codes. Any hints on how to

Re: [oss-security] Summary of security bugs (now fixed) in user namespaces

2013-04-16 Thread Florian Weimer
stabilize further? -- Florian Weimer / Red Hat Product Security Team -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http

Re: [PATCH] lib: memcmp_nta: add timing-attack secure memcmp

2013-02-11 Thread Florian Weimer
* Daniel Borkmann: + * memcmp_nta - memcmp that is secure against timing attacks It's not providing an ordering, so it should not have cmp in the name. + for (su1 = cs, su2 = ct; 0 count; ++su1, ++su2, count--) + res |= (*su1 ^ *su2); The compiler could still short-circuit

Re: [PATCH] lib: memcmp_nta: add timing-attack secure memcmp

2013-02-12 Thread Florian Weimer
* Daniel Borkmann: On 02/11/2013 08:00 PM, Florian Weimer wrote: * Daniel Borkmann: Thanks for your feedback, Florian! + * memcmp_nta - memcmp that is secure against timing attacks It's not providing an ordering, so it should not have cmp in the name. I agree. What would you suggest

Re: [GIT PULL] Load keys from signed PE binaries

2013-02-26 Thread Florian Weimer
* Matthew Garrett: On Mon, Feb 25, 2013 at 10:25:08PM -0500, Theodore Ts'o wrote: On Tue, Feb 26, 2013 at 03:13:38AM +, Matthew Garrett wrote: Because Microsoft have indicated that they'd be taking a reactive approach to blacklisting and because, so far, nobody has decided to

Re: [GIT PULL] Load keys from signed PE binaries

2013-02-26 Thread Florian Weimer
* Theodore Ts'o: On Tue, Feb 26, 2013 at 02:25:55PM +1000, Dave Airlie wrote: Its a simple argument, MS can revoke our keys for whatever reason, reducing the surface area of reasons for them to do so seems like a good idea. Unless someone can read the mind of the MS guy that arbitrarily

Re: [GIT PULL] Load keys from signed PE binaries

2013-02-26 Thread Florian Weimer
* Matthew Garrett: On Mon, Feb 25, 2013 at 03:28:32PM +0100, Florian Weimer wrote: But what puzzles me most is why anyone would assume that the UEFI application signing process somehow ensures that the embedded certificate is non-malicious. We cannot even track it back to the submitter

Re: [GIT PULL] Load keys from signed PE binaries

2013-02-26 Thread Florian Weimer
* Linus Torvalds: So here's what I would suggest, and it is based on REAL SECURITY and on PUTTING THE USER FIRST instead of your continual let's please microsoft by doing idiotic crap approach. I think the real question is this one: Is there *any* device out there which comes with Microsoft

Re: [GIT PULL] Load keys from signed PE binaries

2013-02-26 Thread Florian Weimer
* Chris Friesen: On 02/25/2013 10:14 AM, Matthew Garrett wrote: Windows 8 will not load unsigned drivers if Secure Boot is enabled. For reference: http://msdn.microsoft.com/en-us/library/windows/desktop/hh848062%28v=vs.85%29.aspx Thanks. Do you know perchance of any other Microsoft

Re: [GIT PULL] Load keys from signed PE binaries

2013-02-28 Thread Florian Weimer
* Greg KH: On Tue, Feb 26, 2013 at 03:13:38AM +, Matthew Garrett wrote: Because Microsoft have indicated that they'd be taking a reactive approach to blacklisting and because, so far, nobody has decided to write the trivial proof of concept that demonstrates the problem. So, once that

Re: [GIT PULL] Load keys from signed PE binaries

2013-02-28 Thread Florian Weimer
* Chris Friesen: On 02/28/2013 01:57 AM, Florian Weimer wrote: In any case, there's another reading of the UEFI Secure Boot requirements: you may run any code you wish after calling ExitBootServices(). That could be an unsigned, traditional GRUB. But this will not generally address

Re: [GIT PULL] Load keys from signed PE binaries

2013-02-28 Thread Florian Weimer
* Matthew Garrett: Would it be possible to have a signed bootloader that allows booting Win8 from within the secure environment, or it could exit the secure environment and run unsigned grub? What would stop the unsigned grub from installing a firmware hook that lies about whether or not

Re: [GIT PULL] Load keys from signed PE binaries

2013-02-28 Thread Florian Weimer
* Matthew Garrett: On Thu, Feb 28, 2013 at 08:41:13PM +0100, Florian Weimer wrote: * Matthew Garrett: Would it be possible to have a signed bootloader that allows booting Win8 from within the secure environment, or it could exit the secure environment and run unsigned grub? What

Re: [GIT PULL] Load keys from signed PE binaries

2013-02-25 Thread Florian Weimer
* Matthew Garrett: There's only one signing authority, and they only sign PE binaries. There are at least two, with different policies, albeit run by the same organization. Actually, we don't know how many authorities are out there which have non-localized reach, so it's ... interesting to

Re: [GIT PULL] Load keys from signed PE binaries

2013-02-25 Thread Florian Weimer
* Matthew Garrett: I don't think that's a problem. Just put the original binary hash in the certificate before signing it, and extend the X.509 parser to refuse certificates that have a tag that's present in dbx. Why would Microsoft put a hash of something into dbx which they haven't

Re: [GIT PULL] Load keys from signed PE binaries

2013-02-25 Thread Florian Weimer
* Peter Jones: I just want to make sure this doesn't go unresponded to - Red Hat will not sign kernel modules built by an outside source. We're simply not going to sign these kernel modules. That's one of the big reasons we want a setup where they can sign their own modules in the first

Re: [GIT PULL] Load keys from signed PE binaries

2013-02-25 Thread Florian Weimer
* Matthew Garrett: On Mon, Feb 25, 2013 at 03:46:14PM +0100, Florian Weimer wrote: You could just drop the requirement that ring 0 code must be signed. I don't think Windows 8 enforces this, but I'm not yet sure if there is a physical presence check before you can enter a mode in which

Re: Atheros and rt2x00 driver

2005-08-31 Thread Florian Weimer
* Jeff Garzik: There is still the open question of whether this is legal enough to include in the kernel :( Are you referring to FTC issues, or potential copyright/trade secret issues? The FTC issues are shared by many (most?) wireless drivers. The copyright/trade secret issues might be

Re: Atheros and rt2x00 driver

2005-08-31 Thread Florian Weimer
* Mateusz Berezecki: Florian Weimer [EMAIL PROTECTED] wrote: - The FTC issues are shared by many (most?) wireless drivers. The - copyright/trade secret issues might be worked around by basing the - work on the OpenBSD version of that driver (and someone is actually - working

Re: [PATCH 0/3] New system call, unshare

2005-08-10 Thread Florian Weimer
* Janak Desai: With unshare, namespace setup can be done using PAM session management functions without patching individual commands. I don't think it's a good idea to use security-critical code well without its original specification. Clearly the current situation sucks, but this is mainly a

Re: sched_yield() makes OpenLDAP slow

2005-08-21 Thread Florian Weimer
* Andi Kleen: Has anybody contacted the Sleepycat people with a description of the problem yet? Berkeley DB does not call sched_yield, but OpenLDAP does in some wrapper code around the Berkeley DB backend. - To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of

Re: sched_yield() makes OpenLDAP slow

2005-08-22 Thread Florian Weimer
* Howard Chu: Has anybody contacted the Sleepycat people with a description of the problem yet? Berkeley DB does not call sched_yield, but OpenLDAP does in some wrapper code around the Berkeley DB backend. That's not the complete story. BerkeleyDB provides a db_env_set_func_yield() hook

Re: Free Linux Driver Development!

2007-01-30 Thread Florian Weimer
* Greg KH: Yes, that's right, the Linux kernel community is offering all companies free Linux driver development. No longer do you have to suffer through all of the different examples in the Linux Device Driver Kit, or pick through the thousands of example drivers in the Linux kernel source

Re: Free Linux Driver Development!

2007-01-30 Thread Florian Weimer
* Greg KH: This reminds of the the utterly broken dl2k network driver (which has got interrupt handling problems and doesn't properly synchronize with DMA transfers, IIRC). Hardware specs are available, and I guess I could even provide a hardware sample, maybe even two. (If the community

Re: [PATCH] Undo some of the pseudo-security madness

2007-02-01 Thread Florian Weimer
* Arjan van de Ven: No amount of carefulness will prevent vendors stick arbitrarily damaging values of stack and mmap base randomisation, severely reducing the usefullness of MAP_FIXED. MAP_FIXED is useful still. The only safe way is to use addresses you got from mmap(), eg you overmap

Re: 2.6.19 file content corruption on ext3

2006-12-16 Thread Florian Weimer
* Marc Haber: After updating to 2.6.19, Debian's apt control file /var/cache/apt/pkgcache.bin corrupts pretty frequently - like in under six hours. I've seen that with Debian's 2.6.18 kernels as well. Perhaps it's related to this Debian bug?

Re: 2.6.19 file content corruption on ext3

2006-12-19 Thread Florian Weimer
* Linus Torvalds: Now, this should _matter_ only for user processes that are buggy, and that have written to the page _before_ extending it with ftruncate(). APT seems to properly extend the file before mapping it, by writing a zero byte at the desired position (creating a hole). 24986

Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3

2007-06-13 Thread Florian Weimer
* Linus Torvalds: I consider dual-licensing unlikely (and technically quite hard), but at least _possible_ in theory. I have yet to see any actual *reasons* for licensing under the GPLv3, though. All I've heard are shrill voices about tivoization (which I expressly think is ok) In a

Re: [PATCH v6 00/22] Support ext4 on NV-DIMMs

2014-02-27 Thread Florian Weimer
duplicates pages in the page cache, so this does not seem to be possible, but DAX support might change this. -- Florian Weimer / Red Hat Product Security Team -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo

Re: [PATCH v6 00/22] Support ext4 on NV-DIMMs

2014-02-27 Thread Florian Weimer
and might not always be possible (the file system might be mounted read-only, but still be modifiable beneath). -- Florian Weimer / Red Hat Product Security Team -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More

Re: Trusted kernel patchset for Secure Boot lockdown

2014-03-19 Thread Florian Weimer
* Theodore Ts'o: Right now, even though Lenovo laptops are shipping with Windows 8. UEFI secure boot is not made mandatory (although it is on enough to brick the laptop when it runs into bugs wwith the UEFI BIOS code, sigh). But sooner or later, UEFI secure boot will be on by default, and

Re: Trusted kernel patchset for Secure Boot lockdown

2014-03-19 Thread Florian Weimer
* One Thousand Gnomes: For the Chrome OS use-case, it might be better described as untrusted userspace, but that seems unfriendly. :) The trusted kernel name seems fine to me. Trusted is rather misleading. It's not trusted, it's *measured*. I don't think anyone is doing any measurement. In

Re: [RFC PATCH 00/18 v3] Signature verification of hibernate snapshot

2013-08-28 Thread Florian Weimer
* Chun-Yi Lee: + EFI bootloader must generate RSA key-pair when system boot: - Bootloader store the public key to EFI boottime variable by itself - Bootloader put The private key to S4SignKey EFI variable for forward to kernel. Is the UEFI NVRAM really suited for such regular

Re: [RFC PATCH 00/18 v3] Signature verification of hibernate snapshot

2013-09-01 Thread Florian Weimer
* joeyli: Yes, Matthew raised this concern at before. I modified patch to load private key in efi stub kernel, before ExitBootServices(), that means we don't need generate key-pair at every system boot. So, the above procedure of efi bootloader will only run one time. But if you don't

Re: [RFC PATCH 00/18 v3] Signature verification of hibernate snapshot

2013-09-01 Thread Florian Weimer
* Matthew Garrett: On Sun, Sep 01, 2013 at 12:41:22PM +0200, Florian Weimer wrote: But if you don't generate fresh keys on every boot, the persistent keys are mor exposed to other UEFI applications. Correct me if I'm wrong, but I don't think UEFI variables are segregated between different

Re: [PATCH 0/6] File Sealing memfd_create()

2014-06-17 Thread Florian Weimer
the O_RDONLY hole while leaving the O_PATH hole open. -- Florian Weimer / Red Hat Product Security Team -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please

Re: [PATCH v3 0/7] File Sealing memfd_create()

2014-06-17 Thread Florian Weimer
are not available to them. A couple of weeks ago, sealing was to be applied to anonymous shared memory. Has this changed? Why should *reading* it trigger OOM? -- Florian Weimer / Red Hat Product Security Team -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message

Re: [PATCH v3 0/7] File Sealing memfd_create()

2014-06-17 Thread Florian Weimer
not imply that. or mlock() to make the kernel lock them in memory. See above for why that does not work. I think you should eliminate the holes on sealing and report ENOMEM there if necessary. -- Florian Weimer / Red Hat Product Security Team -- To unsubscribe from this list: send the line

Re: [PATCH v3 0/7] File Sealing memfd_create()

2014-06-17 Thread Florian Weimer
? -- Florian Weimer / Red Hat Product Security Team -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/

Re: [PATCH 1/2] vfs: Add fchmodat4 syscall: fchmodat with flag argument

2014-01-20 Thread Florian Weimer
in user space, so I wonder if this could be applied, and if not, why. Thanks. -- Florian Weimer / Red Hat Product Security Team -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org

[PATCH 2/3] vfs: Implement fsetxattrat, fgetxattrat, flistxattrat, fremovexattrat

2014-01-21 Thread Florian Weimer
The implementation closely mirrors the existing fchownat system call. Cc: Alexander Viro v...@zeniv.linux.org.uk Signed-off-by: Florian Weimer fwei...@redhat.com --- fs/xattr.c | 122 + 1 file changed, 122 insertions(+) diff --git a/fs

[PATCH 0/3] Implement the f*xattrat family of functions

2014-01-21 Thread Florian Weimer
(void) { setup(); check_without_at(); check_at_directory(); cleanup(); setup(); check_at_path_file(file1); cleanup(); setup(); check_at_path_file(symlink1); cleanup(); setup(); check_at_path_symlink(); cleanup(); return 0; } Florian Weimer (3): vfs: Introduce

[PATCH 1/3] vfs: Introduce XATTR_SET_MASK

2014-01-21 Thread Florian Weimer
This will be used to separate the xattr operations from the AT_* flags. Cc: Alexander Viro v...@zeniv.linux.org.uk Signed-off-by: Florian Weimer fwei...@redhat.com --- fs/xattr.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/xattr.c b/fs/xattr.c index 3377dff..9e44641

[PATCH 3/3] x86: wire fsetxattrat, fgetxattrat, flistxattrat, fremovexattrat syscalls

2014-01-21 Thread Florian Weimer
Cc: Al Viro v...@zeniv.linux.org.uk Signed-off-by: Florian Weimer fwei...@redhat.com --- arch/x86/syscalls/syscall_32.tbl | 4 arch/x86/syscalls/syscall_64.tbl | 4 2 files changed, 8 insertions(+) diff --git a/arch/x86/syscalls/syscall_32.tbl b/arch/x86/syscalls/syscall_32.tbl index

Futex and get_user_pages error conditions

2014-01-28 Thread Florian Weimer
-up). -- Florian Weimer / Red Hat Product Security Team -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/

Re: Thoughts on credential switching

2014-03-27 Thread Florian Weimer
of partial failure. We really need kernel support to perform the process-wide switch in an all-or-nothing manner. -- Florian Weimer / Red Hat Product Security Team -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More

Re: Thoughts on credential switching

2014-03-27 Thread Florian Weimer
the kernel perspective, this is not really a problem because the credentials are always per-task. It's just that a conforming user space needs the process-wide credentials. -- Florian Weimer / Red Hat Product Security Team -- To unsubscribe from this list: send the line unsubscribe linux

Re: Thoughts on credential switching

2014-03-27 Thread Florian Weimer
it results in something like five RCU callbacks per impersonation round-trip. Do you mean setfsuid instead of setresuid? -- Florian Weimer / Red Hat Product Security Team -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More

[PATCH] random: Add initialized variable to proc

2014-04-28 Thread Florian Weimer
Before this change, you had to check kernel log messages to see if the non-blocking pool had been properly initialized. With this change, you can consult the file /proc/sys/kernel/random/intialized instead. Signed-off-by: Florian Weimer fwei...@redhat.com --- drivers/char/random.c | 19

Re: [PATCH] random: Add initialized variable to proc

2014-04-29 Thread Florian Weimer
On 04/28/2014 11:41 PM, Theodore Ts'o wrote: On Mon, Apr 28, 2014 at 09:52:11PM +0200, Florian Weimer wrote: Before this change, you had to check kernel log messages to see if the non-blocking pool had been properly initialized. With this change, you can consult the file /proc/sys/kernel

Re: [PATCH 0/6] File Sealing memfd_create()

2014-04-08 Thread Florian Weimer
would be interesting for many things (not just libffi bypassing SELinux-enforced NX restrictions :-). -- Florian Weimer / Red Hat Product Security Team -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info

Re: [PATCH 0/6] File Sealing memfd_create()

2014-04-22 Thread Florian Weimer
On 04/09/2014 11:31 PM, David Herrmann wrote: On Tue, Apr 8, 2014 at 3:00 PM, Florian Weimer fwei...@redhat.com wrote: How do you keep these promises on network and FUSE file systems? I don't. This is shmem only. Ah. What do you recommend for recipient to recognize such descriptors

Re: Thoughts on credential switching

2014-04-22 Thread Florian Weimer
not clear to me where to start. Please show me one user of that and declare it brain dead. Safely and demonstratively relinquishing elevated privileges. POSIX or not it just does not have any real programming mining at all. What do you mean with mining in this context? -- Florian Weimer

Re: [PATCH 0/6] File Sealing memfd_create()

2014-04-22 Thread Florian Weimer
On 04/22/2014 01:55 PM, David Herrmann wrote: Hi On Tue, Apr 22, 2014 at 11:10 AM, Florian Weimer fwei...@redhat.com wrote: Ah. What do you recommend for recipient to recognize such descriptors? Would they just try to seal them and reject them if this fails? This highly depends on your use

Re: [PATCH, RFC -v2] random: introduce getrandom(2) system call

2014-07-18 Thread Florian Weimer
or something like that which means block/return EAGAIN until the kernel pool is initialized? Thanks. (See the previous discussion about pool initialization.) -- Florian Weimer / Red Hat Product Security -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body

Re: kdbus: add documentation

2014-11-30 Thread Florian Weimer
* Greg Kroah-Hartman: +The focus of this document is an overview of the low-level, native kernel D-Bus +transport called kdbus. Kdbus exposes its functionality via files in a +filesystem called 'kdbusfs'. All communication between processes takes place +via ioctls on files exposed through

Re: kdbus: add documentation

2014-11-30 Thread Florian Weimer
* Greg Kroah-Hartman: +7.4 Receiving messages +Also, if the connection allowed for file descriptor to be passed +(KDBUS_HELLO_ACCEPT_FD), and if the message contained any, they will be +installed into the receiving process after the KDBUS_CMD_MSG_RECV ioctl +returns. The receiving task is

Re: [RFC PATCH] proc, pidns: Add highpid

2014-11-30 Thread Florian Weimer
* Andy Lutomirski: The initial implementation is straightforward: highpid is simply a 64-bit counter. If a high-end system can fork every 3 ns (which would be amazing, given that just allocating a pid requires at atomic operation), it would take well over 1000 years for highpid to wrap. I'm

Re: kdbus: add documentation

2014-11-30 Thread Florian Weimer
* Andy Lutomirski: At the risk of opening a can of worms, wouldn't this be much more useful if you could share a pool between multiple connections? They would also be useful to reduce context switches when receiving data from all kinds of descriptors. At present, when polling, you receive

Re: kdbus: add documentation

2014-11-30 Thread Florian Weimer
* David Herrmann: poll(2) and friends cannot return data for changed descriptors. I think a single trap for each KDBUS_CMD_MSG_RECV is acceptable. If this turns out to be a bottleneck, we can provide bulk-operations in the future. Anyway, I don't see how a _shared_ pool would change any of

Re: kdbus: add documentation

2014-11-30 Thread Florian Weimer
* David Herrmann: On Sun, Nov 30, 2014 at 10:02 AM, Florian Weimer f...@deneb.enyo.de wrote: * Greg Kroah-Hartman: +7.4 Receiving messages What happens if this is not possible because the file descriptor limit of the processes would be exceeded? EMFILE, and the message

Re: [RFC PATCH] proc, pidns: Add highpid

2014-11-30 Thread Florian Weimer
* Andy Lutomirski: On Nov 30, 2014 1:47 AM, Florian Weimer f...@deneb.enyo.de wrote: * Andy Lutomirski: The initial implementation is straightforward: highpid is simply a 64-bit counter. If a high-end system can fork every 3 ns (which would be amazing, given that just allocating a pid

Re: [PATCH v2 0/7] CLONE_FD: Task exit notification via file descriptor

2015-06-15 Thread Florian Weimer
that this is a separate and quite sensible use case. -- Florian Weimer / Red Hat Product Security -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ

Re: [PATCH v2 0/7] CLONE_FD: Task exit notification via file descriptor

2015-05-29 Thread Florian Weimer
the PID. Is this not the case? -- Florian Weimer / Red Hat Product Security -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ

Re: [PATCH 3/3] sched: Implement interface for cgroup unified hierarchy

2015-10-25 Thread Florian Weimer
On 10/25/2015 12:58 PM, Theodore Ts'o wrote: > Well, I was thinking we could just teach them to use > "syscall(SYS_gettid)". Right, and that's easier if TIDs are officially part of the GNU API. I think the worry is that some future system might have TIDs which do not share the PID space, or are

Re: [PATCH 3/3] sched: Implement interface for cgroup unified hierarchy

2015-10-25 Thread Florian Weimer
On 10/25/2015 11:41 AM, Theodore Ts'o wrote: > On Sun, Oct 25, 2015 at 10:33:32AM +0100, Ingo Molnar wrote: >> >> Hm, that's weird - all our sched_*() system call APIs that set task >> scheduling >> priorities are fundamentally per thread, not per process. Same goes for the >> old >>

  1   2   3   >