Hi Andy, On Thu, Apr 16, 2015 at 12:30:28PM -0700, Andy Lutomirski wrote: > On Thu, Apr 16, 2015 at 11:23 AM, Lennart Poettering > <lenn...@poettering.net> wrote: [...] > AFAICT this piece of kdbus code serves to enable a rather odd way to > write privilege-separated services to change the time and kill > processes. The cost is complex security code that, at best, fails > secure in the presence of different user namespaces, and the cost also > involves touching a global refcount for each message sent (this might > be the *only* thing that would reference init_user_ns's refcount when > sending). Oh yeah, the cost is also ABI crap -- if, say, my The global ref-counts on metadata is just a workaround due to userns and caps. I actually thought we already sorted that out?
https://lkml.org/lkml/2015/3/25/702 Hmm there are other paths that refs user_ns, the mqueue notification perhaps ? Please note that we also have _per_ user quota accounting, the trade off of accouting prevents further performance penalties on other bus operations. Referring to performance critical code, this code path can just be ignored by to not opt-in for KDBUS_ATTACH_CAPS which is the default behaviour. Thanks! -- Djalal Harouni http://opendz.org _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel