| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20121031212241.GZ2945@htj.dyndns.org> Date: Wed, 31 Oct 2012 14:22:41 -0700 From: Tejun Heo <tj@...nel.org> To: Paolo Bonzini <pbonzini@...hat.com> Cc: Ric Wheeler <rwheeler@...hat.com>, Petr Matousek <pmatouse@...hat.com>, Kay Sievers <kay@...hat.com>, Jens Axboe <axboe@...nel.dk>, linux-kernel@...r.kernel.org, "James E.J. Bottomley" <James.Bottomley@...senPartnership.com> Subject: Re: setting up CDB filters in udev (was Re: [PATCH v2 0/3] block: add queue-private command filter, editable via sysfs) Hello, Paolo. On Thu, Oct 25, 2012 at 02:35:20PM -0400, Paolo Bonzini wrote: > > Disabling filters if opened by root and tranfering via SCM_RIGHTS > > would be the simplest interface-wise (there's no new interface at > > all). Would that be too dangerous security-wise? > > That would be a change with respect to what we have now. After > transferring a root-opened (better: CAP_SYS_RAWIO-opened) file > descriptor to an unprivileged process your SG_IO commands get > filtered. So a ioctl is needed if you want to rely on SCM_RIGHTS. Yeah, I get that it's a behavior change, but would that be a problem? > > I guess I just feel quite reluctant to expose another rather obscure > > userland configurable in-kernel filter and at the same time I'm not > > sure whether this is flexible enough. What if a device is shared by > > multiple virtual machines which are trusted at different levels? > > No, you just don't do that. If a device is passed through to virtual > machines, it is between similar virtual machines (for some definition > of similar). The only case where you have this sharing is in practice > if either the device is read-only (my patch does give you a basic > two-level filtering, with two separate bitmaps for RO and RW) or if you > allow persistent reservations (which is as close to full trust as you > can get). What disturbs me is that it's a completely new interface to userland and at the same a very limited one at that. So, yeah, it's bothersome. I personally would prefer SCM_RIGHTS behavior change + hard coded filters per device class. But, I'd really like to hear what other guys are thinking. Jens? Jens? Jens? Jens? Jens? Jens? Jens? Jens? Jens? Jens? Jens? Jens? :P Thanks. -- tejun -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists