git: aefe30c54371 - main - cat: capsicumize it

Mike Karels mike at karels.net
Sat Jan 16 14:49:05 UTC 2021 

Mateusz wrote:
> I have to strongly disagree with this change.

> truss -f cat /etc/motd immediately reveals most peculiar overhead
> which comes with it.

> Some examples:
> - pdfork is called 3 times and fork 1 time, spawning 4 processes in total
> - the file is opened twice:
>  5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00)  = 5 (0x5)
>  5548: cap_rights_limit(5,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) = 0 (0x0)
>  5548: openat(AT_FDCWD,"/etc/motd",O_RDONLY,00)  = 7 (0x7)
>  5548: cap_rights_limit(7,{ CAP_READ,CAP_FCNTL,CAP_FSTAT }) = 0 (0x0)
> - there is an enormous number of sendto/recvfrom instead of everything
> happening in just one go

> Key points:
> - the functionality provided by casper definitely induces way more
> overhead than it should.
> - regardless of the above, I find patching tools like tail and cat in
> this manner to be highly questionable. Ultimately whatever security
> may or may not have been gained it always have to be gauged against
> actual impact and it does not look it is worth it in this case.

> Even if someone was to put cat in capability mode, for something as
> trivial a opening one file, cat could just do it without all the other
> overhead and then enter the sandbox.

> That said, I think this change (and possibly similar changes to other
> tooling) should be reverted. Regardless of what happens here, casper
> needs a lot of work before it is deemed usable.

> My $0,03.

I also question this change.  Using capsicum makes sense for something
like tcpdump, which usually runs as root, uses privileged facilities,
and interprets external data that could potentially subvert it in the
worst case.  It also has a fairly high startup cost that can be amortized
over its runtime.  Cat is nothing like this, so I wonder what the motivation
was for the change.  It's not obvious to me that there is any significant
value in capsicumizing, and there are obviously significant costs.

		Mike

> On 1/15/21, Mariusz Zaborski <oshogbo at freebsd.org> wrote:
> > The branch main has been updated by oshogbo:
> >
> > URL:
> > https://cgit.FreeBSD.org/src/commit/?id=aefe30c5437159a5399bdbc1974d6fbf40f2ba0f
> >
> > commit aefe30c5437159a5399bdbc1974d6fbf40f2ba0f
> > Author:     Mariusz Zaborski <oshogbo at FreeBSD.org>
> > AuthorDate: 2021-01-15 20:22:29 +0000
> > Commit:     Mariusz Zaborski <oshogbo at FreeBSD.org>
> > CommitDate: 2021-01-15 20:23:42 +0000
> >
> >     cat: capsicumize it
> >
> >     Reviewed by:    markj, arichardson
> >     Differential Revision:  https://reviews.freebsd.org/D28083
<snip>

More information about the dev-commits-src-all mailing list