[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130525083713.GA6179@mtj.dyndns.org>
Date: Sat, 25 May 2013 17:37:13 +0900
From: Tejun Heo <tj@...nel.org>
To: James Bottomley <James.Bottomley@...senPartnership.com>
Cc: Paolo Bonzini <pbonzini@...hat.com>, Jens Axboe <axboe@...nel.dk>,
lkml <linux-kernel@...r.kernel.org>,
"linux-scsi@...r.kernel.org" <linux-scsi@...r.kernel.org>
Subject: Re: PING^7 (was Re: [PATCH v2 00/14] Corrections and customization
of the SG_IO command whitelist (CVE-2012-4542))
Hey, James.
On Fri, May 24, 2013 at 09:35:02PM -0700, James Bottomley wrote:
> > Well, I'd actually much prefer disabling CDB whitelisting for all !MMC
> > devices if at all possible.
>
> I'll go along with this. I'm also wondering what the problem would be
Don't think we can. It'd be a behavior change clearly visible to
userland at this point.
> if we just allowed all commands on either CAP_SYS_RAWIO or opening the
> device for write, so we just defer to the filesystem permissions and
> restricted read only opens to the basic all device opcodes.
Given that there are quite a few cases where we give out block device
permission accesses, changing the behavior by default is likely too
dangerous.
> Do we have a real world example of this? Getting the kernel out of the
> command filtering business does seem to be a good idea to me.
Something like the following seems workable.
* Fix the security bug. I don't really care how it's fixed as long as
the amount of whitelisted commands goes down not up.
* It's not like we can remove the filter for !MMC devices at this
point, so I think it makes sense to make it per-class so that we can
*remove* commands which aren't relevant for the device type. Also,
we probably wanna add read blinking comment yelling that no further
commands should be added.
* Merge the patch to give out SG_IO access along with write access, so
the use cases which want to give out SG_IO access can do so
explicitly and be fully responsible for the device. This makes
sense to me. If one wants to be allowed to issue raw commands to
the hardware, one takes the full responsibility.
Thanks.
--
tejun
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists