On Thu, Jul 24, 2014 at 1:30 PM, Henrique de Moraes Holschuh <hmh@xxxxxxxxxx> wrote: > On Thu, 24 Jul 2014, Theodore Ts'o wrote: >> On Thu, Jul 24, 2014 at 08:21:38AM -0700, Andy Lutomirski wrote: >> > > Should we add E<SOMETHING> to be able to deny access to GRND_RANDOM or some >> > > future extension ? >> > >> > This might actually be needed sooner rather than later. There are >> > programs that use containers and intentionally don't pass /dev/random >> > through into the container. I know that Sandstorm does this, and I >> > wouldn't be surprised if other things (Docker?) do the same thing. >> >> I wouldn't add the error to the man page until we actually modify the >> kernel to add such a restriction. > > By then, it might be too late. It would be really sad to find ourselves > forced to return ENOSYS to getrandom(GRND_RANDOM) when we actually wanted to > return EPERM/EACCES. > > Actually, we might not be able to do even that much: all it takes is for > someone to have the bright idea of deploying userspace code that checks for > ENOSYS only on a first "probe" getrandom() syscall without GRND_RANDOM, and > does something idiotic when it gets ENOSYS later on a > getrandom(GRND_RANDOM). meh. We can't even abuse the system ourselves :-) > Or that someone writes userspace code that gets -EPERM/-EACCESS on getrandom with GRND_RANDOM and falls back to something worse than getrandom w/o GRND_RANDOM. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html