A very common use case is to limit read and/or write access to certain
sysfs objects to only root with the expectation that the CAP_SYS_ADMIN
capability is needed to access sensitive data exposed through such sysfs
objects.
The existing macros such as BIN_ATTR_RO and BIN_ATTR_RW are sadly
inadequate given the specific need to limit access only to the root
user, as they offer permissions that are too open e.g., 0444 and 0644,
thus a lot of users of binary attributes with this specific use case,
for example, the PCI "config", "rom" and "vps" sysfs objects, would opt
to use the BIN_ATTR macro directly specifying 0400 or 0600 as needed.
Add a new set of macros with an explicit "ADMIN" identifier catering to
this specific use case that also follows the semantic of other existing
macros such as e.g., BIN_ATTR_RO, BIN_ATTR_RW, BIN_ATTR_WO, etc.
No functional change intended.
Related:
commit 60d360acddc5 ("driver-core: Introduce DEVICE_ATTR_ADMIN_{RO,RW}")
Signed-off-by: Krzysztof Wilczyński <kw@xxxxxxxxx>
---
include/linux/sysfs.h | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/include/linux/sysfs.h b/include/linux/sysfs.h
index d76a1ddf83a3..9f423dfa8494 100644
--- a/include/linux/sysfs.h
+++ b/include/linux/sysfs.h
@@ -205,6 +205,13 @@ struct bin_attribute {
.size = _size, \
}
+#define __BIN_ATTR_RO_MODE(_name, _mode, _size) { \
+ .attr = { .name = __stringify(_name), \
+ .mode = VERIFY_OCTAL_PERMISSIONS(_mode) }, \
+ .read = _name##_read, \
+ .size = _size, \
+}
+
#define __BIN_ATTR_WO(_name, _size) { \
.attr = { .name = __stringify(_name), .mode = 0200 }, \
.write = _name##_write, \
@@ -214,6 +221,14 @@ struct bin_attribute {
#define __BIN_ATTR_RW(_name, _size) \
__BIN_ATTR(_name, 0644, _name##_read, _name##_write, _size)
+#define __BIN_ATTR_RW_MODE(_name, _mode, _size) { \
+ .attr = { .name = __stringify(_name), \
+ .mode = VERIFY_OCTAL_PERMISSIONS(_mode) }, \
+ .read = _name##_read, \
+ .write = _name##_write, \
+ .size = _size, \
+}
+
#define __BIN_ATTR_NULL __ATTR_NULL
#define BIN_ATTR(_name, _mode, _read, _write, _size) \
@@ -223,12 +238,20 @@ struct bin_attribute bin_attr_##_name = __BIN_ATTR(_name, _mode, _read, \
#define BIN_ATTR_RO(_name, _size) \
struct bin_attribute bin_attr_##_name = __BIN_ATTR_RO(_name, _size)
+#define BIN_ATTR_ADMIN_RO(_name, _size) \
+struct bin_attribute bin_attr_##_name = __BIN_ATTR_RO_MODE(_name, 0400, \
+ _size)
+
#define BIN_ATTR_WO(_name, _size) \
struct bin_attribute bin_attr_##_name = __BIN_ATTR_WO(_name, _size)
#define BIN_ATTR_RW(_name, _size) \
struct bin_attribute bin_attr_##_name = __BIN_ATTR_RW(_name, _size)
+#define BIN_ATTR_ADMIN_RW(_name, _size) \
+struct bin_attribute bin_attr_##_name = __BIN_ATTR_RW_MODE(_name, 0600, \
+ _size)
+
struct sysfs_ops {
ssize_t (*show)(struct kobject *, struct attribute *, char *);
ssize_t (*store)(struct kobject *, struct attribute *, const char *, size_t);
--
2.31.0
