On Tue, 5 Apr 2011, Andrei Warkentin wrote:
> On Tue, Apr 5, 2011 at 4:59 PM, John Calixto
> <john.calixto@xxxxxxxxxxxxxx> wrote:
> > Some ACMDs might actually damage the card. This check ensures the
> > caller has CAP_SYS_ADMIN before allowing such an activity.
> >
> > Signed-off-by: John Calixto <john.calixto@xxxxxxxxxxxxxx>
> > ---
> > drivers/mmc/card/block.c | 29 +++++++++++++++++++++++++++++
> > 1 files changed, 29 insertions(+), 0 deletions(-)
> >
> > diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
> > index c2e107c..2ed8c57 100644
> > --- a/drivers/mmc/card/block.c
> > +++ b/drivers/mmc/card/block.c
> > @@ -31,6 +31,7 @@
> > #include <linux/mutex.h>
> > #include <linux/scatterlist.h>
> > #include <linux/string_helpers.h>
> > +#include <linux/capability.h>
> > #include <linux/compat.h>
> > #include <linux/delay.h>
> >
> > @@ -205,6 +206,34 @@ static int mmc_blk_ioctl_acmd(struct block_device *bdev,
> > goto acmd_done;
> > }
> >
> > + /*
> > + * The following ACMDs are known to be nondestructive. They are used
> > + * by SD security applications (ref: SD Specifications, Part 1,
> > + * Physical Layer Simplified Specification, Version 3.01, Table 4-27).
> > + * Any other commands require CAP_SYS_ADMIN because they may destroy
> > + * the card.
> > + */
> > + switch (sdic.opcode) {
> > + case SD_APP_SD_STATUS:
> > + case 18:
> > + case 25:
> > + case 26:
> > + case 38:
> > + case 43:
> > + case 44:
> > + case 45:
> > + case 46:
> > + case 47:
> > + case 48:
> > + case 49:
> > + break;
> > + default:
> > + if (!capable(CAP_SYS_ADMIN)) {
> > + err = -EPERM;
> > + goto acmd_done;
> > + }
> > + }
> > +
> > cmd.opcode = sdic.opcode;
> > cmd.arg = sdic.arg;
> > cmd.flags = sdic.flags;
> > --
> > 1.7.4.1
>
> Hi John,
>
> Just to clarify, were the commands supposed to exclude commands that do writes?
>
> In MMC-land:
> CMD18 is PROGRAM_CID (which is a once-in-a-lifetime operation).
> CMD38 is erase
> CMD25 is write_multiple_block - this can give a non-root user full
> control over a disk, bypassing security.
Hi Andrei,
I have CMD18 as READ_MULTIPLE_BLOCK... Regardless, this ioctl is
specifically for ACMD opcodes (application-specific; preceeded by
CMD55), not CMD opcodes.
>
> You should definitely check if the the target device is MMC or SD.
> Because the MMC and SD have slightly differing command sets.
>
Given that this patch is a conservative opcode filter (it demands
CAP_SYS_ADMIN for all opcodes *except* those listed explicitly), do you
think I still need to add another check for SD vs. MMC?
John
