On 10/29/2014 11:28 PM, Andy Lutomirski wrote: > On Wed, Oct 29, 2014 at 3:25 PM, Greg Kroah-Hartman >> You do have to opt-in for this information at time of capture, so >> I don't understand the issue here. This is the same type of thing >> that dbus does today, and I don't see the information leaks >> happening there, do you? > > The docs suggest that the *receiver* opts in. Yes, that's true. > I don't think that current dbus has severe information leaks because > the total scope for information transparently sent to dbus is rather > small (struct ucred only, presumably). Which piece of credential information are you concerned about, particularly? I might miss something, but AFAICS, all of that information can be queried by a remote peer anyway, through /proc for instance. The reason why we (optionally) attach them to messages is that we want to let the other side know which information was authoritative, precisely at the time the message was sent. Current implementation can't do that in a race-free way. Also note that we currently drop all such metadata whenever a message crosses a PID or user namespace boundary. This is because we currently don't know yet which information we would want to transport in such cases, and how the translation in both directions would look like, from a semantic perspective. Hence, we decided to leave that for later. I'll go through your other replies during the day. Thanks for your input on that RFC, everyone. Daniel -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
