Am 22.10.2016 um 17:04 schrieb Jonathan Corbet <corbet@xxxxxxx>: > On Sat, 22 Oct 2016 08:56:29 -0200 > Mauro Carvalho Chehab <mchehab@xxxxxxxxxxxxx> wrote: > >> The security implications will be the same if either coded as an >> "ioctl()" or as "syscall", the scripts should be audited. Actually, >> if we force the need of a "syscall" for every such script, we have >> twice the code to audit, as both the Sphinx extension and the perl >> script will need to audit, increasing the attack surface. > > Just addressing this one part for the moment. Clearly I've not explained > my concern well. > > The kernel-cmd directive makes it possible for *any* RST file to run > arbitrary shell commands. I'm not concerned about the scripts we add, I > hope we can get those right. I'm worried about what slips in via a tweak > to some obscure .rst file somewhere. > > A quick check says that 932 commits touched Documentation/ since 4.8. A > lot of those did not come from either my tree or yours; *everybody* messes > around in the docs tree. People know to look closely at changes to > makefiles and such; nobody thinks to examine documentation changes for > such things. I think there are attackers out there who would like the > opportunity to run commands in the settings where kernels are built; we > need to think pretty hard before we make that easier to do. Hmm, I understand, it would not be good, if every .rst (and c-file with kernel-doc in) becomes the potential to be a *executable* ... Might it be a compromise, if we reduce kernel-cmd to start only selected scripts from Documentation/sphinx ? -- Markus -- -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html