lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri,  6 Mar 2020 09:20:09 -0800
From:   Connor Kuehl <ckuehl@...hat.com>
To:     thomas.lendacky@....com, herbert@...dor.apana.org.au,
        davem@...emloft.net
Cc:     gary.hook@....com, erdemaktas@...gle.com, rientjes@...gle.com,
        brijesh.singh@....com, npmccallum@...hat.com, bsd@...hat.com,
        linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
        Connor Kuehl <ckuehl@...hat.com>
Subject: [PATCH 0/1] crypto: ccp: use file mode for sev ioctl permissions

Some background:

My team is working on a project that interacts very closely with
SEV so we have a layer of code that wraps around the SEV ioctl calls.
We have an automated test suite that ends up testing these ioctls
on our test machine.

We are in the process of adding this test machine as a dedicated test
runner in our continuous integration process. Any time someone opens a
pull request against our project, this test runner automatically checks
that code out and executes the tests.

Right now, the SEV ioctls that affect the state of the platform require
CAP_SYS_ADMIN to run. This is not a capability we can give to an
automated test runner, because it means that anyone who would like to
contribute to the project would be able to run any code they want (for
good or evil) as CAP_SYS_ADMIN on our machine.

This patch replaces the check for CAP_SYS_ADMIN with a check that can
still be easily controlled by an administrator with the file permissions
ACL. This way access to the device can still be controlled, but without
also assigning such broad system privileges at the same time.

Connor Kuehl (1):
  crypto: ccp: use file mode for sev ioctl permissions

 drivers/crypto/ccp/sev-dev.c | 33 +++++++++++++++++----------------
 1 file changed, 17 insertions(+), 16 deletions(-)

-- 
2.24.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ