| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 02 May 2012 17:49:58 +0200 From: Paolo Bonzini <pbonzini@...hat.com> To: Alan Cox <alan@...rguk.ukuu.org.uk> CC: Jan Kara <jack@...e.cz>, Jens Axboe <axboe@...nel.dk>, LKML <linux-kernel@...r.kernel.org>, James Bottomley <JBottomley@...allels.com>, linux-scsi@...r.kernel.org Subject: Re: [PATCH] scsi: Silence unnecessary warnings about ioctl to partition Il 02/05/2012 17:10, Alan Cox ha scritto: >>> Also I tend to side with Alan that I don't quite see >>> the point in trying to restrict CAP_SYS_RAWIO threads and thus breaking the >>> compatibility >> >> For example, we have a customer that wants this: >> >> * a VM should be able to send vendor-specific commands to a disk via >> SG_IO (vendor-specific commands require CAP_SYS_RAWIO). >> >> * they want to assign logical volumes or partitions to the same VM >> without letting it read or write outside the logical volume or partition. > > And if the process has CAP_SYS_RAWIO it can do it anyway. How so? Assuming /dev/sdb is not accessible, /dev/sdb1 is accessible, and no iopl/ioperm. > Or you could just do the special case ioctl magic out of band in the apps. You mentioned crass/gross hacks. Forcing apps to detect if you're targeting a partition or a block device _is_ gross. > It's hardly an ultra performance critical path for the SG_IO cases. That I agree with. >> Of course a better solution for this would be customizable filters for >> SG_IO commands, where a privileged application would open the block >> device with CAP_SYS_RAWIO, set the filter and hand the file descriptor >> to QEMU. Or alternatively some extension of the device cgroup. But >> either solution would require a large amount of work. > > Customisable filters are not hard. We've got all the filtering code in > kernel and the ability to verify filters, even the ability to JIT them. > Just support adding/removing/running a BPF filter on the channel in > question. > > So it shouldn't be much code to do what you want. Yes, it's not much code if I don't get into cgroups land and stick with a ioctl to add and remove BPF filters that look at CDBs. One downside is that such filtering would likely be enabled by CAP_SYS_RAWIO. Because of this, tweaking the filter on the fly is still not too easy because I want to run as unprivileged as possible. I guess some privileged helper program can set the filter and send me back the file descriptor via SCM_RIGHTS. The filter will be preserved across that, right? I still believe this is suboptimal in the general case, and that Jan's customer has a bug. But hey I would have ended up implementing the filters anyway sooner or later, so I'd rather avoid further flames and work on them with someone supporting the idea. :) Reluctantly Acked-by: Paolo Bonzini <pbonzini@...hat.com> Paolo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists