lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Fri, 4 Mar 2011 10:25:22 -0800
From:	Jesse Barnes <jbarnes@...tuousgeek.org>
To:	Chris Wright <chrisw@...s-sol.org>
Cc:	James Morris <jmorris@...ei.org>, linux-kernel@...r.kernel.org,
	Eric Paris <eparis@...hat.com>,
	Don Dutile <ddutile@...hat.com>,
	Greg Kroah-Hartman <gregkh@...e.de>,
	Alan Cox <alan@...rguk.ukuu.org.uk>, linux-pci@...r.kernel.org
Subject: Re: [PATCH 2/2 v2] pci: use security_capable() when checking
 capablities during config space read

On Thu, 10 Feb 2011 15:58:56 -0800
Chris Wright <chrisw@...s-sol.org> wrote:

> * James Morris (jmorris@...ei.org) wrote:
> > What about these other users of cap_raised?
> > 
> > drivers/block/drbd/drbd_nl.c:   if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN)) {
> > drivers/md/dm-log-userspace-transfer.c: if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))
> > drivers/staging/pohmelfs/config.c:      if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))
> > drivers/video/uvesafb.c:        if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))
> 
> Those are a security_netlink_recv() variant.  They should be converted
> although makes sense as a different patchset.
> 
> > Also, should this have a reported-by for Eric ?
> 
> Yes it should, thanks.  Below is patch with Reported-by added (seemed
> overkill to respin the series; holler if that's perferred).
> 
> thanks,
> -chris
> ---
> 
> From: Chris Wright <chrisw@...s-sol.org>
> Subject: [PATCH 2/2 v2] pci: use security_capable() when checking capablities during config space read
> 
> Eric Paris noted that commit de139a3 ("pci: check caps from sysfs file
> open to read device dependent config space") caused the capability check
> to bypass security modules and potentially auditing.  Rectify this by
> calling security_capable() when checking the open file's capabilities
> for config space reads.
> 
> Reported-by: Eric Paris <eparis@...hat.com>
> Cc: Eric Paris <eparis@...hat.com>
> Cc: Greg Kroah-Hartman <gregkh@...e.de>
> Cc: Jesse Barnes <jbarnes@...tuousgeek.org>
> Cc: Alan Cox <alan@...rguk.ukuu.org.uk>
> Cc: linux-pci@...r.kernel.org
> Signed-off-by: Chris Wright <chrisw@...s-sol.org>
> ---
>  drivers/pci/pci-sysfs.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)

Sorry for the late reply, but this is fine with me.  Should probably
just get pushed along with the change to security_capable (assuming
that hasn't been done already).

Acked-by: Jesse Barnes <jbarnes@...tuousgeek.org>

-- 
Jesse Barnes, Intel Open Source Technology Center
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ