lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4FA157A6.7050209@redhat.com>
Date:	Wed, 02 May 2012 17:49:58 +0200
From:	Paolo Bonzini <pbonzini@...hat.com>
To:	Alan Cox <alan@...rguk.ukuu.org.uk>
CC:	Jan Kara <jack@...e.cz>, Jens Axboe <axboe@...nel.dk>,
	LKML <linux-kernel@...r.kernel.org>,
	James Bottomley <JBottomley@...allels.com>,
	linux-scsi@...r.kernel.org
Subject: Re: [PATCH] scsi: Silence unnecessary warnings about ioctl to partition

Il 02/05/2012 17:10, Alan Cox ha scritto:
>>> Also I tend to side with Alan that I don't quite see
>>> the point in trying to restrict CAP_SYS_RAWIO threads and thus breaking the
>>> compatibility
>>
>> For example, we have a customer that wants this:
>>
>> * a VM should be able to send vendor-specific commands to a disk via
>> SG_IO (vendor-specific commands require CAP_SYS_RAWIO).
>>
>> * they want to assign logical volumes or partitions to the same VM
>> without letting it read or write outside the logical volume or partition.
> 
> And if the process has CAP_SYS_RAWIO it can do it anyway.

How so?  Assuming /dev/sdb is not accessible, /dev/sdb1 is accessible,
and no iopl/ioperm.

> Or you could just do the special case ioctl magic out of band in the apps.

You mentioned crass/gross hacks.  Forcing apps to detect if you're
targeting a partition or a block device _is_ gross.

> It's hardly an ultra performance critical path for the SG_IO cases.

That I agree with.

>> Of course a better solution for this would be customizable filters for
>> SG_IO commands, where a privileged application would open the block
>> device with CAP_SYS_RAWIO, set the filter and hand the file descriptor
>> to QEMU.  Or alternatively some extension of the device cgroup.  But
>> either solution would require a large amount of work.
> 
> Customisable filters are not hard. We've got all the filtering code in
> kernel and the ability to verify filters, even the ability to JIT them.
> Just support adding/removing/running a BPF filter on the channel in
> question.
> 
> So it shouldn't be much code to do what you want.

Yes, it's not much code if I don't get into cgroups land and stick with
a ioctl to add and remove BPF filters that look at CDBs.  One downside
is that such filtering would likely be enabled by CAP_SYS_RAWIO.
Because of this, tweaking the filter on the fly is still not too easy
because I want to run as unprivileged as possible.  I guess some
privileged helper program can set the filter and send me back the file
descriptor via SCM_RIGHTS.  The filter will be preserved across that, right?

I still believe this is suboptimal in the general case, and that Jan's
customer has a bug.  But hey I would have ended up implementing the
filters anyway sooner or later, so I'd rather avoid further flames and
work on them with someone supporting the idea. :)  Reluctantly

Acked-by: Paolo Bonzini <pbonzini@...hat.com>

Paolo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ