| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 02 Nov 2012 15:49:02 +0100 From: Paolo Bonzini <pbonzini@...hat.com> To: Tejun Heo <tj@...nel.org> CC: Ric Wheeler <rwheeler@...hat.com>, Petr Matousek <pmatouse@...hat.com>, Kay Sievers <kay@...hat.com>, Jens Axboe <axboe@...nel.dk>, linux-kernel@...r.kernel.org, "James E.J. Bottomley" <James.Bottomley@...senPartnership.com> Subject: Re: setting up CDB filters in udev (was Re: [PATCH v2 0/3] block: add queue-private command filter, editable via sysfs) Il 31/10/2012 22:22, Tejun Heo ha scritto: > Hello, Paolo. > > On Thu, Oct 25, 2012 at 02:35:20PM -0400, Paolo Bonzini wrote: >>> Disabling filters if opened by root and tranfering via SCM_RIGHTS >>> would be the simplest interface-wise (there's no new interface at >>> all). Would that be too dangerous security-wise? >> >> That would be a change with respect to what we have now. After >> transferring a root-opened (better: CAP_SYS_RAWIO-opened) file >> descriptor to an unprivileged process your SG_IO commands get >> filtered. So a ioctl is needed if you want to rely on SCM_RIGHTS. > > Yeah, I get that it's a behavior change, but would that be a problem? Worse, it's a potential security hole because previously you'd get filtering and now you wouldn't. Considering that SCM_RIGHTS is usually used to transfer a file descriptor from a privileged process to an unprivileged one, I'd be very worried of that. >>> I guess I just feel quite reluctant to expose another rather obscure >>> userland configurable in-kernel filter and at the same time I'm not >>> sure whether this is flexible enough. What if a device is shared by >>> multiple virtual machines which are trusted at different levels? >> >> No, you just don't do that. If a device is passed through to virtual >> machines, it is between similar virtual machines (for some definition >> of similar). The only case where you have this sharing is in practice >> if either the device is read-only (my patch does give you a basic >> two-level filtering, with two separate bitmaps for RO and RW) or if you >> allow persistent reservations (which is as close to full trust as you >> can get). > > What disturbs me is that it's a completely new interface to userland > and at the same a very limited one at that. So, yeah, it's > bothersome. I personally would prefer SCM_RIGHTS behavior change + > hard coded filters per device class. I think hard-coded filters are bad (I prefer to move policy to userspace), and SCM_RIGHTS without a ioctl is out of question, really. > But, I'd really like to hear what other guys are thinking. Jens? > Jens? Jens? Jens? Jens? Jens? Jens? Jens? Jens? Jens? Jens? Jens? :P :P Paolo -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists