Re: [PATCH 2/2 v2] pci: use security_capable() when checking capablities during config space read

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 10 Feb 2011 15:58:56 -0800
Chris Wright <chrisw@xxxxxxxxxxxx> wrote:

> * James Morris (jmorris@xxxxxxxxx) wrote:
> > What about these other users of cap_raised?
> > 
> > drivers/block/drbd/drbd_nl.c:   if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN)) {
> > drivers/md/dm-log-userspace-transfer.c: if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))
> > drivers/staging/pohmelfs/config.c:      if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))
> > drivers/video/uvesafb.c:        if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))
> 
> Those are a security_netlink_recv() variant.  They should be converted
> although makes sense as a different patchset.
> 
> > Also, should this have a reported-by for Eric ?
> 
> Yes it should, thanks.  Below is patch with Reported-by added (seemed
> overkill to respin the series; holler if that's perferred).
> 
> thanks,
> -chris
> ---
> 
> From: Chris Wright <chrisw@xxxxxxxxxxxx>
> Subject: [PATCH 2/2 v2] pci: use security_capable() when checking capablities during config space read
> 
> Eric Paris noted that commit de139a3 ("pci: check caps from sysfs file
> open to read device dependent config space") caused the capability check
> to bypass security modules and potentially auditing.  Rectify this by
> calling security_capable() when checking the open file's capabilities
> for config space reads.
> 
> Reported-by: Eric Paris <eparis@xxxxxxxxxx>
> Cc: Eric Paris <eparis@xxxxxxxxxx>
> Cc: Greg Kroah-Hartman <gregkh@xxxxxxx>
> Cc: Jesse Barnes <jbarnes@xxxxxxxxxxxxxxxx>
> Cc: Alan Cox <alan@xxxxxxxxxxxxxxxxxxx>
> Cc: linux-pci@xxxxxxxxxxxxxxx
> Signed-off-by: Chris Wright <chrisw@xxxxxxxxxxxx>
> ---
>  drivers/pci/pci-sysfs.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)

Sorry for the late reply, but this is fine with me.  Should probably
just get pushed along with the change to security_capable (assuming
that hasn't been done already).

Acked-by: Jesse Barnes <jbarnes@xxxxxxxxxxxxxxxx>

-- 
Jesse Barnes, Intel Open Source Technology Center
--
To unsubscribe from this list: send the line "unsubscribe linux-pci" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [DMA Engine]     [Linux Coverity]     [Linux USB]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Greybus]

  Powered by Linux