Closed smoser closed 2 years ago
It seems reasonable. Two questions:
It seems reasonable. Two questions:
- will -- and = as part of runtime cmdline be rejected? I'd argue they should.
why would '=' be rejected? wrt '--', I think its not of much use. The kernel considers '--' specially so I can kind of see your argument, but systemd basically does its own parsing of /proc/cmdline (it does not, iirc, pay attention to its argc/argv, but fishes through /proc/cmdline for 'systemd.debug-shell=1' or the like).
I'm willing to accept the suggestion as a "better safe than sorry" for now, as it is easier to extend rather than restrict behavior later on.
- What do you think about STUBBY_RT_CLI_ALLOW=console=tty1 STUBBY_RT_CLI_ALLOW=onlinecpu-whatever meaning only that argument, if given in runtime cmdline, will be inserted there? It's probably too much... But it would be a nice way of having the user (the writer of the builtin cmdline) be less reliant on our (authors of stubby) ability to predict what cmdlines are ok or unsafe.
I think "later maybe". I want to enable general function as tightly/simply as possible right now. Also, remember its not that hard to change the allowed-list if someone wanted to do that. And i had proposed allowing that at post-build-time (https://github.com/puzzleos/stubby/issues/14).
why would '=' be rejected?
After '--', to keep from mucking with init's environment. Not before --
But the point of rejecting '--' is so that if you have STUBBY_RT_CLI_ALLOW before an important argument, the user doesn't add '--' making the kernel ignore the important argument. I don't have an example of such an important argument offhand, ghough.
why would '=' be rejected?
After '--', to keep from mucking with init's environment. Not before --
But the point of rejecting '--' is so that if you have STUBBY_RT_CLI_ALLOW before an important argument, the user doesn't add '--' making the kernel ignore the important argument. I don't have an example of such an important argument offhand, ghough.
ah, ok. that does make some sense. I guess I'm OK to reject it for now with the thought that we can enable it later.
One thing to remember is that the result still has to go through the accept-ilst verification. So unless we added '--' and 'YOUR_ENV=YOUR_VAL' into the accept-list, it would get rejected based on that.
Many of my bullet points in the list were just trying to safeguard against "user error" in the builtin command line or an attempt to exploit a bug via runtime command line.
I'm willing to add that 'key=value' cannot occur after '--' in the runtime args if you think we should.
Thoughts?
Currently, stubby allows either:
kernel.efi console=ttyS0 root=LABEL=rootdev
).If a the efi has a builtin command line and is provided with runtime arguments, the boot is rejected.
We would like to be able to support having both a builtin and runtime command lines.
Kernel parsing of its command line and options allowed is discussed here. Some things to note:
--
; if it doesn’t recognize a parameter and it doesn’t contain a ‘.’, the parameter gets passed to init: parameters with ‘=’ go into init’s environment, others are passed as command line arguments to init. Everything after--
is passed as an argument to init.Because of the complexity, we want to be able to tightly control the order of builtin and runtime arguments.
The following is suggested:
Above: