Re: [PATCH v2 2/2] mmc: Check CAP_SYS_ADMIN for destructive ioctl ACMDs

[Andrei Warkentin <andreiw@xxxxxxxxxxxx>]

On Tue, Apr 5, 2011 at 4:59 PM, John Calixto
<john.calixto@xxxxxxxxxxxxxx> wrote:
> Some ACMDs might actually damage the card.  This check ensures the
> caller has CAP_SYS_ADMIN before allowing such an activity.
>
> Signed-off-by: John Calixto <john.calixto@xxxxxxxxxxxxxx>
> ---
>  drivers/mmc/card/block.c |   29 +++++++++++++++++++++++++++++
>  1 files changed, 29 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
> index c2e107c..2ed8c57 100644
> --- a/drivers/mmc/card/block.c
> +++ b/drivers/mmc/card/block.c
> @@ -31,6 +31,7 @@
>  #include <linux/mutex.h>
>  #include <linux/scatterlist.h>
>  #include <linux/string_helpers.h>
> +#include <linux/capability.h>
>  #include <linux/compat.h>
>  #include <linux/delay.h>
>
> @@ -205,6 +206,34 @@ static int mmc_blk_ioctl_acmd(struct block_device *bdev,
>                goto acmd_done;
>        }
>
> +       /*
> +        * The following ACMDs are known to be nondestructive.  They are used
> +        * by SD security applications (ref: SD Specifications, Part 1,
> +        * Physical Layer Simplified Specification, Version 3.01, Table 4-27).
> +        * Any other commands require CAP_SYS_ADMIN because they may destroy
> +        * the card.
> +        */
> +       switch (sdic.opcode) {
> +       case SD_APP_SD_STATUS:
> +       case 18:
> +       case 25:
> +       case 26:
> +       case 38:
> +       case 43:
> +       case 44:
> +       case 45:
> +       case 46:
> +       case 47:
> +       case 48:
> +       case 49:
> +               break;
> +       default:
> +               if (!capable(CAP_SYS_ADMIN)) {
> +                       err = -EPERM;
> +                       goto acmd_done;
> +               }
> +       }
> +
>        cmd.opcode = sdic.opcode;
>        cmd.arg = sdic.arg;
>        cmd.flags = sdic.flags;
> --
> 1.7.4.1

Hi John,

Just to clarify, were the commands supposed to exclude commands that do writes?

In MMC-land:
CMD18 is PROGRAM_CID (which is a once-in-a-lifetime operation).
CMD38 is erase
CMD25 is write_multiple_block - this can give a non-root user full
control over a disk, bypassing security.

You should definitely check if the the target device is MMC or SD.
Because the MMC and SD have slightly differing command sets.

A
--
To unsubscribe from this list: send the line "unsubscribe linux-mmc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html