lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20201122053317.GJ807@yoga>
Date:   Sat, 21 Nov 2020 23:33:17 -0600
From:   Bjorn Andersson <bjorn.andersson@...aro.org>
To:     Suman Anna <s-anna@...com>
Cc:     Mathieu Poirier <mathieu.poirier@...aro.org>,
        Arnaud Pouliquen <arnaud.pouliquen@...com>,
        Loic Pallardy <loic.pallardy@...com>,
        Grzegorz Jaszczyk <grzegorz.jaszczyk@...aro.org>,
        Tony Lindgren <tony@...mide.com>,
        linux-remoteproc@...r.kernel.org, linux-omap@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 2/3] remoteproc: Introduce deny_sysfs_ops flag

On Fri 20 Nov 21:44 CST 2020, Suman Anna wrote:

> On 11/20/20 9:38 PM, Bjorn Andersson wrote:
> > On Fri 20 Nov 21:01 CST 2020, Suman Anna wrote:
> > 
> >> The remoteproc framework provides sysfs interfaces for changing
> >> the firmware name and for starting/stopping a remote processor
> >> through the sysfs files 'state' and 'firmware'. The 'recovery'
> >> sysfs file can also be used similarly to control the error recovery
> >> state machine of a remoteproc. These interfaces are currently
> >> allowed irrespective of how the remoteprocs were booted (like
> >> remoteproc self auto-boot, remoteproc client-driven boot etc).
> >> These interfaces can adversely affect a remoteproc and its clients
> >> especially when a remoteproc is being controlled by a remoteproc
> >> client driver(s). Also, not all remoteproc drivers may want to
> >> support the sysfs interfaces by default.
> >>
> >> Add support to deny the sysfs state/firmware/recovery change by
> >> introducing a state flag 'deny_sysfs_ops' that the individual
> >> remoteproc drivers can set based on their usage needs. The default
> >> behavior is to allow the sysfs operations as before.
> >>
> > 
> > This makes sense, but can't we implement attribute_group->is_visible to
> > simply hide these entries from userspace instead of leaving them
> > "broken"?
> 
> I would have to look into that, but can that be changed dynamically?
> Also, note that the enforcement is only on the writes/stores which impact
> the state-machine, but not the reads/shows.
> 
> For PRU usecases, we will be setting this dynamically.
> 

It looks to be dynamic, but I don't know if there's any "caching"
involved. Please have a look and let me know.

Regards,
Bjorn

> regards
> Suman
> 
> > 
> > Regards,
> > Bjorn
> > 
> >> Signed-off-by: Suman Anna <s-anna@...com>
> >> ---
> >> v2: revised to account for the 'recovery' sysfs file as well, patch
> >>     description updated accordingly
> >> v1: https://patchwork.kernel.org/project/linux-remoteproc/patch/20180915003725.17549-5-s-anna@ti.com/
> >>
> >>  drivers/remoteproc/remoteproc_sysfs.c | 12 ++++++++++++
> >>  include/linux/remoteproc.h            |  2 ++
> >>  2 files changed, 14 insertions(+)
> >>
> >> diff --git a/drivers/remoteproc/remoteproc_sysfs.c b/drivers/remoteproc/remoteproc_sysfs.c
> >> index bd2950a246c9..3fd18a71c188 100644
> >> --- a/drivers/remoteproc/remoteproc_sysfs.c
> >> +++ b/drivers/remoteproc/remoteproc_sysfs.c
> >> @@ -49,6 +49,10 @@ static ssize_t recovery_store(struct device *dev,
> >>  {
> >>  	struct rproc *rproc = to_rproc(dev);
> >>  
> >> +	/* restrict sysfs operations if not allowed by remoteproc drivers */
> >> +	if (rproc->deny_sysfs_ops)
> >> +		return -EPERM;
> >> +
> >>  	if (sysfs_streq(buf, "enabled")) {
> >>  		/* change the flag and begin the recovery process if needed */
> >>  		rproc->recovery_disabled = false;
> >> @@ -158,6 +162,10 @@ static ssize_t firmware_store(struct device *dev,
> >>  	char *p;
> >>  	int err, len = count;
> >>  
> >> +	/* restrict sysfs operations if not allowed by remoteproc drivers */
> >> +	if (rproc->deny_sysfs_ops)
> >> +		return -EPERM;
> >> +
> >>  	err = mutex_lock_interruptible(&rproc->lock);
> >>  	if (err) {
> >>  		dev_err(dev, "can't lock rproc %s: %d\n", rproc->name, err);
> >> @@ -225,6 +233,10 @@ static ssize_t state_store(struct device *dev,
> >>  	struct rproc *rproc = to_rproc(dev);
> >>  	int ret = 0;
> >>  
> >> +	/* restrict sysfs operations if not allowed by remoteproc drivers */
> >> +	if (rproc->deny_sysfs_ops)
> >> +		return -EPERM;
> >> +
> >>  	if (sysfs_streq(buf, "start")) {
> >>  		if (rproc->state == RPROC_RUNNING)
> >>  			return -EBUSY;
> >> diff --git a/include/linux/remoteproc.h b/include/linux/remoteproc.h
> >> index 3fa3ba6498e8..dbc3767f7d0e 100644
> >> --- a/include/linux/remoteproc.h
> >> +++ b/include/linux/remoteproc.h
> >> @@ -508,6 +508,7 @@ struct rproc_dump_segment {
> >>   * @has_iommu: flag to indicate if remote processor is behind an MMU
> >>   * @auto_boot: flag to indicate if remote processor should be auto-started
> >>   * @autonomous: true if an external entity has booted the remote processor
> >> + * @deny_sysfs_ops: flag to not permit sysfs operations on state, firmware and recovery
> >>   * @dump_segments: list of segments in the firmware
> >>   * @nb_vdev: number of vdev currently handled by rproc
> >>   * @char_dev: character device of the rproc
> >> @@ -545,6 +546,7 @@ struct rproc {
> >>  	bool has_iommu;
> >>  	bool auto_boot;
> >>  	bool autonomous;
> >> +	bool deny_sysfs_ops;
> >>  	struct list_head dump_segments;
> >>  	int nb_vdev;
> >>  	u8 elf_class;
> >> -- 
> >> 2.28.0
> >>
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ