lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4BEBDAF5.3020004@redhat.com>
Date:	Thu, 13 May 2010 13:56:53 +0300
From:	Avi Kivity <avi@...hat.com>
To:	Chris Wright <chrisw@...s-sol.org>
CC:	greg@...ah.com, jbarnes@...tuousgeek.org, matthew@....cx,
	linux-pci@...r.kernel.org, linux-kernel@...r.kernel.org,
	kvm@...r.kernel.org, ddutile@...hat.com, alex.williamson@...hat.com
Subject: Re: [PATCH 2/2] pci: allow sysfs file owner to read device dependent
 config space

On 05/13/2010 04:29 AM, Chris Wright wrote:
> The PCI config space bin_attr read handler has a hardcoded CAP_SYS_ADMIN
> check to verify privileges before allowing a user to read device
> dependent config space.  This is meant to protect from an unprivileged
> user potentially locking up the box.
>
> When assigning a PCI device directly to a guest with libvirt and KVM,
> the sysfs config space file is chown'd to the unprivileged user that
> the KVM guest will run as.  The guest needs to have full access to the
> device's config space since it's responsible for driving the device.
> However, despite being the owner of the sysfs file, the CAP_SYS_ADMIN
> check will not allow read access beyond the config header.
>
> With this patch the sysfs file owner is also considered privileged enough
> to read all of the config space.
>
>    

Related questions:

- does sysfs support selinux labels?
- what about iommu?

So we give a user privileges to access a device.  But if we don't 
enforce iommu protection, you're giving the user access to the entire 
system.

With kvm, qemu wraps the device with an iommu, but this is less secure 
than it might be.  Better to have a privileged process open the device, 
irrevocably wrap it with an iommu, and pass the wrapped fd to qemu.

This is probably best done with uio, but it means all device access 
needs to be available through the uio fd, including pci config space access.

-- 
error compiling committee.c: too many arguments to function

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ