lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 16 Sep 2014 23:38:42 +0000 From: Maximilian Eschenbacher <maximilian@...henbacher.email> To: linux-kernel@...r.kernel.org Cc: valentina.manea.m@...il.com, shuah.kh@...sung.com, gregkh@...uxfoundation.org, Maximilian Eschenbacher <maximilian@...henbacher.email>, Fjodor Schelichow <fjodor.schelichow@...mail.com>, Johannes Stadlinger <johannes.stadlinger@....de>, Kurt Kanzenbach <ly80toro@....cs.fau.de>, Dominik Paulus <dominik.paulus@....de>, Tobias Polzer <tobias.polzer@....de> Subject: [PATCH 05/18] usbip: Add ACL support to usbip bind Add the command line argument -a (--allow) to usbip bind to specify networks allowed to attach to the device and code to store the ACLs in sysfs. Signed-off-by: Maximilian Eschenbacher <maximilian@...henbacher.email> Signed-off-by: Fjodor Schelichow <fjodor.schelichow@...mail.com> Signed-off-by: Johannes Stadlinger <johannes.stadlinger@....de> Signed-off-by: Kurt Kanzenbach <ly80toro@....cs.fau.de> Signed-off-by: Dominik Paulus <dominik.paulus@....de> Signed-off-by: Tobias Polzer <tobias.polzer@....de> --- tools/usb/usbip/doc/usbip.8 | 8 +++++- tools/usb/usbip/src/usbip_bind.c | 62 ++++++++++++++++++++++++++++++++-------- 2 files changed, 57 insertions(+), 13 deletions(-) diff --git a/tools/usb/usbip/doc/usbip.8 b/tools/usb/usbip/doc/usbip.8 index 847aa40..c7ba36f 100644 --- a/tools/usb/usbip/doc/usbip.8 +++ b/tools/usb/usbip/doc/usbip.8 @@ -60,9 +60,15 @@ Detach an imported USB device. .PP .HP -\fBbind\fR \-\-busid=<\fIbusid\fR> +\fBbind\fR \-\-busid=<\fIbusid\fR> [\-\-allow=<\fICIDR mask\fR>...] .IP Make a device exportable. +.br +\-\-allow accepts CIDR masks like 127.0.0.0/8 or fd00::/64 +.br +Only hosts in (at least) one of the allowed ranges are accepted. If +\-\-allow is omitted, 0.0.0.0/0 and ::/0 are added to the list. The list can +be read/written from corresponding \fBusbip_acl\fR file in sysfs after bind. .PP .HP diff --git a/tools/usb/usbip/src/usbip_bind.c b/tools/usb/usbip/src/usbip_bind.c index fa46141..b888ea3 100644 --- a/tools/usb/usbip/src/usbip_bind.c +++ b/tools/usb/usbip/src/usbip_bind.c @@ -38,8 +38,9 @@ enum unbind_status { static const char usbip_bind_usage_string[] = "usbip bind <args>\n" - " -b, --busid=<busid> Bind " USBIP_HOST_DRV_NAME ".ko to device " - "on <busid>\n"; + " -b, --busid=<busid> Bind " USBIP_HOST_DRV_NAME ".ko to " + "device on <busid>\n" + " -a, --allow=<CIDR mask> Restrict device access to <CIDR mask>\n"; void usbip_bind_usage(void) { @@ -47,10 +48,11 @@ void usbip_bind_usage(void) } /* call at unbound state */ -static int bind_usbip(char *busid) +static int bind_usbip(char *busid, char *allow) { char attr_name[] = "bind"; char bind_attr_path[SYSFS_PATH_MAX]; + char ip_attr_path[SYSFS_PATH_MAX]; int rc = -1; snprintf(bind_attr_path, sizeof(bind_attr_path), "%s/%s/%s/%s/%s/%s", @@ -64,6 +66,19 @@ static int bind_usbip(char *busid) return -1; } + /* + * store allowed IP ranges + * specified by `usbip bind -b <busid> --allow <CIDR mask>` + */ + snprintf(ip_attr_path, sizeof(ip_attr_path), "%s/%s/%s/%s/%s/%s/%s", + SYSFS_MNT_PATH, SYSFS_BUS_NAME, SYSFS_BUS_TYPE, + SYSFS_DRIVERS_NAME, USBIP_HOST_DRV_NAME, busid, "usbip_acl"); + rc = write_sysfs_attribute(ip_attr_path, allow, strlen(allow)); + if (rc < 0) { + err("error writing cidr mask %s", allow); + return -1; + } + return 0; } @@ -139,7 +154,7 @@ out: return status; } -static int bind_device(char *busid) +static int bind_device(char *busid, char *allow) { int rc; struct udev *udev; @@ -170,7 +185,7 @@ static int bind_device(char *busid) return -1; } - rc = bind_usbip(busid); + rc = bind_usbip(busid, allow); if (rc < 0) { err("could not bind device to %s", USBIP_HOST_DRV_NAME); modify_match_busid(busid, 0); @@ -186,29 +201,52 @@ int usbip_bind(int argc, char *argv[]) { static const struct option opts[] = { { "busid", required_argument, NULL, 'b' }, + { "allow", optional_argument, NULL, 'a' }, { NULL, 0, NULL, 0 } }; - int opt; - int ret = -1; + int opt, rc; + char allow[4096]; + char *device = NULL; + struct subnet subnet; + + allow[0] = 0; for (;;) { - opt = getopt_long(argc, argv, "b:", opts, NULL); + opt = getopt_long(argc, argv, "a:b:", opts, NULL); if (opt == -1) break; switch (opt) { + case 'a': + rc = parse_cidr(optarg, &subnet); + if (rc < 0) { + err("Invalid subnet specified: %s", optarg); + goto err_out; + } + + if (strlen(allow) < sizeof(allow) - strlen(optarg) - 2) + sprintf(allow + strlen(allow), "%s\n", optarg); + else + err("ACL length too long."); + break; case 'b': - ret = bind_device(optarg); - goto out; + device = optarg; + break; default: goto err_out; } } + /* By default, allow access from all IPs */ + if (!allow[0]) + strcpy(allow, "::/0\n0.0.0.0/0\n"); + + if (device) + return bind_device(device, allow); + err_out: usbip_bind_usage(); -out: - return ret; + return -1; } -- 2.1.0 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists