| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241203092456.5dde2476@hermes.local> Date: Tue, 3 Dec 2024 09:24:56 -0800 From: Stephen Hemminger <stephen@...workplumber.org> To: Leon Romanovsky <leon@...nel.org> Cc: Bjorn Helgaas <helgaas@...nel.org>, Leon Romanovsky <leonro@...dia.com>, Krzysztof Wilczyński <kw@...ux.com>, linux-pci@...r.kernel.org, Ariel Almog <ariela@...dia.com>, Aditya Prabhune <aprabhune@...dia.com>, Hannes Reinecke <hare@...e.de>, Heiner Kallweit <hkallweit1@...il.com>, Arun Easi <aeasi@...vell.com>, Jonathan Chocron <jonnyc@...zon.com>, Bert Kenward <bkenward@...arflare.com>, Matt Carlson <mcarlson@...adcom.com>, Kai-Heng Feng <kai.heng.feng@...onical.com>, Jean Delvare <jdelvare@...e.de>, Alex Williamson <alex.williamson@...hat.com>, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, Jakub Kicinski <kuba@...nel.org>, Thomas Weißschuh <linux@...ssschuh.net> Subject: Re: [PATCH v3] PCI/sysfs: Change read permissions for VPD attributes On Tue, 3 Dec 2024 14:15:28 +0200 Leon Romanovsky <leon@...nel.org> wrote: > The Vital Product Data (VPD) attribute is not readable by regular > user without root permissions. Such restriction is not needed at > all for Mellanox devices, as data presented in that VPD is not > sensitive and access to the HW is safe and well tested. > > This change changes the permissions of the VPD attribute to be accessible > for read by all users for Mellanox devices, while write continue to be > restricted to root only. > > The main use case is to remove need to have root/setuid permissions > while using monitoring library [1]. > > [leonro@vm ~]$ lspci |grep nox > 00:09.0 Ethernet controller: Mellanox Technologies MT2910 Family [ConnectX-7] > > Before: > [leonro@vm ~]$ ls -al /sys/bus/pci/devices/0000:00:09.0/vpd > -rw------- 1 root root 0 Nov 13 12:30 /sys/bus/pci/devices/0000:00:09.0/vpd > After: > [leonro@vm ~]$ ls -al /sys/bus/pci/devices/0000:00:09.0/vpd > -rw-r--r-- 1 root root 0 Nov 13 12:30 /sys/bus/pci/devices/0000:00:09.0/vpd > > [1] https://developer.nvidia.com/management-library-nvml > Signed-off-by: Leon Romanovsky <leonro@...dia.com> > --- > Changelog: > v3: > * Used | to change file attributes > * Remove WARN_ON > v2: https://lore.kernel.org/all/61a0fa74461c15edfae76222522fa445c28bec34.1731502431.git.leon@kernel.org > * Another implementation to make sure that user is presented with > correct permissions without need for driver intervention. > v1: https://lore.kernel.org/all/cover.1731005223.git.leonro@nvidia.com > * Changed implementation from open-read-to-everyone to be opt-in > * Removed stable and Fixes tags, as it seems like feature now. > v0: > https://lore.kernel.org/all/65791906154e3e5ea12ea49127cf7c707325ca56.1730102428.git.leonro@nvidia.com/ > --- > drivers/pci/vpd.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/drivers/pci/vpd.c b/drivers/pci/vpd.c > index a469bcbc0da7..a7aa54203321 100644 > --- a/drivers/pci/vpd.c > +++ b/drivers/pci/vpd.c > @@ -332,6 +332,13 @@ static umode_t vpd_attr_is_visible(struct kobject *kobj, > if (!pdev->vpd.cap) > return 0; > > + /* > + * Mellanox devices have implementation that allows VPD read by > + * unprivileged users, so just add needed bits to allow read. > + */ > + if (unlikely(pdev->vendor == PCI_VENDOR_ID_MELLANOX)) > + return a->attr.mode | 0044; > + > return a->attr.mode; > } > Could this be with other vendor specific quirks instead? Also, the wording of the comment is awkward. Suggest: On Mellanox devices reading VPD is safe for unprivileged users.
Powered by blists - more mailing lists