On 10/29/2014 11:19 PM, Andy Lutomirski wrote: > I think that each piece of trustable metadata needs to be explicitly > opted-in to by the sender at the time of capture. Otherwise you're > asking for lots of information leaks and privilege escalations. This > is especially important given that some of the items in the current > list could be rather sensitive. Alright, the above seems to pretty much sum up that end of our discussion. To address this, We've now added the following functionality for v2: * The attach_flags in kdbus_cmd_hello was split into two parts, attach_flags_send and attach_flags_recv, so each peer may chose what exactly it want to transmit or receive. * Metadata will only be attached to the final message in the receiver's pool if both the sender's attach_flags_send and the receiver's attach_flags_recv bit are set. * Consequently, the existing KDBUS_ITEM_ATTACH_FLAGS item type is split into KDBUS_ITEM_ATTACH_FLAGS_SEND and KDBUS_ITEM_ATTACH_FLAGS_RECV, so that both connection details can be separately updated through KDBUS_CMD_CONN_UPDATE. * To allow for use cases that require certain metadata to be attached on each message, we've added a negotiation mechanism to the HELLO ioctl: An optional metadata mask can be passed during the creation of buses, so bus owners may require certain bits in attach_flags_send to be set. That way, the creator of the bus will specify which metadata is required to fulfill the requirements of the specification of the role of the bus. Thanks again for your input! Daniel -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
