[Xenomai-core] [RFC][PATCH] security check for skin access
Hi, you all may know that Xenomai provides a bulk of very powerful interfaces to userspace real-time applications. But not everyone may have thought about the fact yet that these syscall extensions are accessible for *all* users in the system! Well, real-time and security is a more complex topic, but we should at least restore the same level of security which Linux provides. For this purpose, the attached (and long-planned) patch adds basic access control to all Xenomai skin services by requiring CAP_SYS_NICE, i.e. the same capability that is also required to manipulate the normal Linux scheduling parameters. I would suggest to merge it, either as an option (with default=y), or unconditionally (it's just a tiny additional check in the syscall path). Jan Index: ksrc/nucleus/shadow.c === --- ksrc/nucleus/shadow.c (revision 719) +++ ksrc/nucleus/shadow.c (working copy) @@ -1141,6 +1141,12 @@ static inline int do_hisyscall_event (un if (!__xn_reg_mux_p(regs)) goto linux_syscall; +if (unlikely(!cap_raised(p-cap_effective, CAP_SYS_NICE))) + { + __xn_error_return(regs,-EPERM); + return RTHAL_EVENT_STOP; + } + muxid = __xn_mux_id(regs); muxop = __xn_mux_op(regs); signature.asc Description: OpenPGP digital signature ___ Xenomai-core mailing list Xenomai-core@gna.org https://mail.gna.org/listinfo/xenomai-core
Re: [Xenomai-core] [RFC][PATCH] security check for skin access
Jan Kiszka wrote: Hi, you all may know that Xenomai provides a bulk of very powerful interfaces to userspace real-time applications. But not everyone may have thought about the fact yet that these syscall extensions are accessible for *all* users in the system! Well, real-time and security is a more complex topic, but we should at least restore the same level of security which Linux provides. For this purpose, the attached (and long-planned) patch adds basic access control to all Xenomai skin services by requiring CAP_SYS_NICE, i.e. the same capability that is also required to manipulate the normal Linux scheduling parameters. I would suggest to merge it, either as an option (with default=y), or unconditionally (it's just a tiny additional check in the syscall path). Applied, thanks. Jan Index: ksrc/nucleus/shadow.c === --- ksrc/nucleus/shadow.c (revision 719) +++ ksrc/nucleus/shadow.c (working copy) @@ -1141,6 +1141,12 @@ static inline int do_hisyscall_event (un if (!__xn_reg_mux_p(regs)) goto linux_syscall; +if (unlikely(!cap_raised(p-cap_effective, CAP_SYS_NICE))) + { + __xn_error_return(regs,-EPERM); + return RTHAL_EVENT_STOP; + } + muxid = __xn_mux_id(regs); muxop = __xn_mux_op(regs); ___ Xenomai-core mailing list Xenomai-core@gna.org https://mail.gna.org/listinfo/xenomai-core -- Philippe. ___ Xenomai-core mailing list Xenomai-core@gna.org https://mail.gna.org/listinfo/xenomai-core
Re: [Xenomai-core] [RFC][PATCH] security check for skin access
Jan Kiszka wrote: Hi, you all may know that Xenomai provides a bulk of very powerful interfaces to userspace real-time applications. But not everyone may have thought about the fact yet that these syscall extensions are accessible for *all* users in the system! Well, real-time and security is a more complex topic, but we should at least restore the same level of security which Linux provides. For this purpose, the attached (and long-planned) patch adds basic access control to all Xenomai skin services by requiring CAP_SYS_NICE, i.e. the same capability that is also required to manipulate the normal Linux scheduling parameters. I would suggest to merge it, either as an option (with default=y), or unconditionally (it's just a tiny additional check in the syscall path). Also added the CONFIG_OPT_SECURITY_ACCESS switch to make this check conditional. Jan Index: ksrc/nucleus/shadow.c === --- ksrc/nucleus/shadow.c (revision 719) +++ ksrc/nucleus/shadow.c (working copy) @@ -1141,6 +1141,12 @@ static inline int do_hisyscall_event (un if (!__xn_reg_mux_p(regs)) goto linux_syscall; +if (unlikely(!cap_raised(p-cap_effective, CAP_SYS_NICE))) + { + __xn_error_return(regs,-EPERM); + return RTHAL_EVENT_STOP; + } + muxid = __xn_mux_id(regs); muxop = __xn_mux_op(regs); ___ Xenomai-core mailing list Xenomai-core@gna.org https://mail.gna.org/listinfo/xenomai-core -- Philippe. ___ Xenomai-core mailing list Xenomai-core@gna.org https://mail.gna.org/listinfo/xenomai-core