| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20171013204611.7487f55c@alans-desktop>
Date: Fri, 13 Oct 2017 20:46:11 +0100
From: Alan Cox <gnomes@...rguk.ukuu.org.uk>
To: <Mario.Limonciello@...l.com>
Cc: <greg@...ah.com>, <dvhart@...radead.org>,
<andy.shevchenko@...il.com>, <linux-kernel@...r.kernel.org>,
<platform-driver-x86@...r.kernel.org>, <luto@...nel.org>,
<quasisec@...gle.com>, <pali.rohar@...il.com>, <rjw@...ysocki.net>,
<mjg59@...gle.com>, <hch@....de>
Subject: Re: [PATCH v7 10/15] platform/x86: dell-smbios: add filtering
capability for requests
> I think I'd actually like to meld this with your other ideas and what I've
> currently got. What do you think of this approach:
>
> /* kernel community doesn't feel userspace should have access at all
> * or other kernel drivers use this
> */
> if (blacklisted)
> return NO;
>
> /* unprivileged access allowed */
> if (whitelisted & (capabilities && whitelist->capability_need) ==
> whitelist->capability_need))
> return ALLOWED;
>
> /* not yet in whitelist, or need privs to do */
> if (capable(CAP_SYS_RAWIO))
> return ALLOWED;
>
> return NO
>
This looks sensible to me. Note that the middle case isn't necessarily
'unprviliged'. If the entyr is whitelisted and the capability_need is 0
then it means 'anyone' but you can also set any other appropriate
capability (eg CAP_NET_ADMIN for a WMI call that does stuff to the wifi).
Alan
Powered by blists - more mailing lists