Em Sat, 22 Oct 2016 09:04:21 -0600 Jonathan Corbet <corbet@xxxxxxx> escreveu: > On Sat, 22 Oct 2016 08:56:29 -0200 > Mauro Carvalho Chehab <mchehab@xxxxxxxxxxxxx> wrote: > > > The security implications will be the same if either coded as an > > "ioctl()" or as "syscall", the scripts should be audited. Actually, > > if we force the need of a "syscall" for every such script, we have > > twice the code to audit, as both the Sphinx extension and the perl > > script will need to audit, increasing the attack surface. > > Just addressing this one part for the moment. Clearly I've not explained > my concern well. > > The kernel-cmd directive makes it possible for *any* RST file to run > arbitrary shell commands. I'm not concerned about the scripts we add, I > hope we can get those right. I'm worried about what slips in via a tweak > to some obscure .rst file somewhere. > > A quick check says that 932 commits touched Documentation/ since 4.8. A > lot of those did not come from either my tree or yours; *everybody* messes > around in the docs tree. People know to look closely at changes to > makefiles and such; nobody thinks to examine documentation changes for > such things. I think there are attackers out there who would like the > opportunity to run commands in the settings where kernels are built; we > need to think pretty hard before we make that easier to do. > > See what I'm getting at here? Yes, I see your point, but IMHO, if we add an extra logic at kernel-cmd to restrict it to run scripts *only* from an specific directory (like Documentation/sphinx), then you'll have a better control. There were only 37 commits there, from you, me and Jani (and, AFAIKT, all of them were sent to the linux-doc ML for review): $ git log --pretty=fuller Documentation/sphinx|grep Commit:|sort|uniq -c 11 Commit: Jani Nikula <jani.nikula@xxxxxxxxx> 10 Commit: Jonathan Corbet <corbet@xxxxxxx> 16 Commit: Mauro Carvalho Chehab <mchehab@xxxxxxxxxxxxxxxx> With is, btw, the same rule we have for a Sphinx extension. If you thing this isn't enough, we could also add some logic at checkpatch.pl to check for the usage of Sphinx extensions. Thanks, Mauro -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html