On Sat, 5 Dec 2009, Alan Cox wrote:
> On Sat, 05 Dec 2009 21:35:55 +0100
> Miklos Szeredi <miklos@xxxxxxxxxx> wrote:
>
> > On Sat, 5 Dec 2009, Alan Cox wrote:
> > > I am concerned primarily about the lack of ability to get rid of such a
> > > handle in a controlled fashion. The udev/device unload case is simply one
> > > obvious way to exploit it.
> >
> > I don't understand your concern. Can you please ellaborate on the way
> > to exploit O_NODE?
>
> You end up with a handle to an object which then changes meaning if a
> device is unloaded and something else loaded (or consider a pty
> recreation)
OK.
> In the normal udev course of things this is ok because even without
> revoke udev can just about get away with it for the sole reason it knows
> that the handle cannot be open in any form during the driver unload
> (because of the device refcounting). You seem to break that.
No. Udev is ok, because it already does revoke access to the device
on unloading:
:/* Reset permissions on the device node, before unlinking it to make sure,
: * that permissions of possible hard links will be removed too.
: */
:int util_unlink_secure(struct udev *udev, const char *filename)
:{
: int err;
:
: chmod(filename, 0000);
...
So I think we agree, that some sort of revoke is needed. But just
resetting the permissions is fine, there's no need to actually revoke
access for the file descriptor opened with O_NODE.
Do you agree?
Thanks,
Miklos
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
