Re: [PATCH v2 0/4] Checkpoint/Restore: Show in proc IDs of objectsthat can be shared between tasks

[Cyrill Gorcunov]

On Fri, Nov 18, 2011 at 03:38:40PM -0800, Matt Helsley wrote:
...
> > 
> > Well, in case of hw-rng it should not be that easy, still of course
> > there is no 100% guarantee that there is absolutely no way to predict
> > this mask (espec since it's generated once at lives here forever). But
> 
> The random number itself could be of the best quality and the obfuscation
> could still be completely broken from a security standpoint. Put another
> way, we don't need to attack the method the random number was generated.
> We could probably utilize information we have about how the addresses
> themselves are generated.
> 

Agreed.

> > whatever makes attacker life harder -- is a good thing. After all we might
> > simply take some hash on kernel address here (such as sha256) since it's
> > not a time-critical operation and as far as I know collision is not found
> > for it yet (??).
> 
> Yes, cryptographic hashing seems much better than a highly suspect ad-hoc
> scheme which has barely been analyzed.
>

I'm surely fine with using crypto-hashes here.

> > 
> > > b) If we can export these addresses only to CAP_SYS_ADMIN tasks then
> > >    we don't need to obfuscate them anyway.
> > > 
> > >    Which takes me back to again asking: why not make c/r root-only?
> > >    And provide non-root access via a carefully-written setuid
> > >    front-end?
> > > 
> > 
> > I think non-root approach is a win in a long term (even if it requires
> 
> You could go with the root approach for now and make things more
> permissive later.
> 

Root-only makes all things easier, but I fear if we don't start with
non-root from the very beginning it'll remain root-only forever ;)

	Cyrill
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/