On Wed, 17 Feb 2016 14:29:29 -0800 John Stultz <john.stu...@linaro.org> wrote:
> On Wed, Feb 17, 2016 at 12:18 PM, Andrew Morton > <a...@linux-foundation.org> wrote: > > On Wed, 17 Feb 2016 12:09:08 -0800 Kees Cook <keesc...@chromium.org> wrote: > >> On Wed, Feb 17, 2016 at 11:35 AM, Andrew Morton > >> > The procfs file's permissions are 0644, yes? So a process's > >> > timer_slack is world-readable? hm. > >> > >> This should be 600, IMO. > > > > Sounds safer. > > So I've gone ahead and addressed this and the other feedback you had. > But this bit made me realize that I may have missed a key aspect to > the interface that Android needs. > > In particular, the whole point here is to allow a controlling task to > modify other tasks' timerslack to limit background tasks' power usage > (and to modify them back to normal when the background tasks become > foreground tasks). Note that on android different tasks run as > different users. > > Currently, the controlling process has minimally elevated privileges > (CAP_SYS_NICE). The initial review suggested those privileges should > be higher (PTRACE_MODE_ATTACH), which I've implemented. However, I'm > realizing that by moving to the proc interface, the filesystem > permissions here put yet another barrier in the way. > > While the 600 permissions makes initial sense, it does limit these > controlling tasks with extra privileges (though not root) from > modifying the timerslack, since they cannot open the file to begin > with. > > So.... Does world writable (plus the PTRACE_MODE_ATTACH_FSCREDS check) > make more sense here? Or is there a better way for a system to tweak > the default permissions for procfs entries? (And if so, does that > render the PTRACE_MODE_ATTACH... check unnecessary?). I can't immediately think of a problem with it. Could we check PTRACE_MODE_ATTACH_FSCREDS in open() to prevent bad guys from reading our timerslack?
