On Sat, 22 Oct 2016 08:56:29 -0200 Mauro Carvalho Chehab <mchehab@xxxxxxxxxxxxx> wrote: > The security implications will be the same if either coded as an > "ioctl()" or as "syscall", the scripts should be audited. Actually, > if we force the need of a "syscall" for every such script, we have > twice the code to audit, as both the Sphinx extension and the perl > script will need to audit, increasing the attack surface. Just addressing this one part for the moment. Clearly I've not explained my concern well. The kernel-cmd directive makes it possible for *any* RST file to run arbitrary shell commands. I'm not concerned about the scripts we add, I hope we can get those right. I'm worried about what slips in via a tweak to some obscure .rst file somewhere. A quick check says that 932 commits touched Documentation/ since 4.8. A lot of those did not come from either my tree or yours; *everybody* messes around in the docs tree. People know to look closely at changes to makefiles and such; nobody thinks to examine documentation changes for such things. I think there are attackers out there who would like the opportunity to run commands in the settings where kernels are built; we need to think pretty hard before we make that easier to do. See what I'm getting at here? jon -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
