| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 21 May 2009 23:22:49 +0100 From: Alan Cox <alan@...rguk.ukuu.org.uk> To: Alan Stern <stern@...land.harvard.edu> Cc: Al Viro <viro@...IV.linux.org.uk>, Kernel development list <linux-kernel@...r.kernel.org> Subject: Re: How to tell whether a struct file is held by a process? > Here's the story. People have requested that the kernel add a > mechanism whereby a user program can get more-or-less exclusive access > rights to a USB device. In fact, they'd like to reserve these rights People ask for lots of things, often things they should be doing user space, violate the laws of causality or are just dumb. > In order to prevent programs from dying without releasing their > exclusive rights, it seems natural to implement these rights as open > files. Thus, opening file A(P) will give a program exclusive access Standard unix lock files have this property and its worked for many things for many years. > The problem is this. Let D be the device plugged into port P. When > some program opens D's device file, it's necessary to check whether > that same program has an open file reference for A(P), i.e., has opened > A(P), or has inherited a descriptor for A(P) from its parent, or has > been passed such a descriptor over a Unix socket, etc. If not, and if > A(P) is open (owned by someone else), then access to D is denied. Define "program" - is that one thread, many threads, a group of processes involving child processes (often essential for user space device drivers to get the security boundaries right) ? pid doesn't work for thread groups or security divisisons, uid doesn't work for security. There are two kernel models used that I can think of - lock file (pure user space policy) - O_EXCL - stop any other opens with -EBUSY the latter plus file handle passing is quite sufficient to implement pretty much any policy cleanly and to ensure that there are no "inadvertent" accessors. It does mean the fd has to be passed about but that is easy and the natural flow of apps doing that kind of work is to inherit such handles. > If you can think up a better way to implement these exclusive access > rights, I'd be glad to hear it. User space - precisely because defining the access policy and what its really meant by "program" in this case is so device and situation dependant. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists