lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <YpY3Er7F6hdzTfH1@sirena.org.uk>
Date:   Tue, 31 May 2022 17:41:06 +0200
From:   Mark Brown <broonie@...nel.org>
To:     Prasad Sodagudi <quic_psodagud@...cinc.com>
Cc:     linux-spi@...r.kernel.org, linux-i2c@...r.kernel.org,
        wsa@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [Query] Looking for comments on CONFIG_SPI_SPIDEV and
 CONFIG_I2C_CHARDEV interfaces security

On Tue, May 31, 2022 at 08:25:26AM -0700, Prasad Sodagudi wrote:

> I am working on an IoT solution and would like to understand security impact
> of these two CONFIG_SPI_SPIDEV and CONFIG_I2C_CHARDEV interfaces of Linux.
> If a driver is developed from userspace for  /dev/spiX.Y or /dev/i2c
> interfaces,  are there any security concerns ?

Well, you have to ensure that only userspace processes that you
want to have access to the spidev and I2C interfaces actually
have access to them which is something that could go wrong.  For
I2C you IIRC don't have a mechanism to partition devices between
different users since it all goes through /dev/i2c rather than
per device userspace devices.

> Userspace driver is to control external SPI slave on board. I heard that
> these interfaces allows access to any of these type of devices on board.
> How to avoid accessing any of these type of unwanted device access from
> userspace ?  Can Selinux or any mechanism control access to other these type
> of devices from user-space ?

You can use all the usual permission mechanisms to control access
to devices (probably using udev to set up permissions when things
are instantiated).  I'd expect this to include SELinux.

Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ