Il 25/05/2013 07:27, Christoph Hellwig ha scritto: > On Fri, May 24, 2013 at 09:35:02PM -0700, James Bottomley wrote: >> I'll go along with this. I'm also wondering what the problem would be >> if we just allowed all commands on either CAP_SYS_RAWIO or opening the >> device for write, so we just defer to the filesystem permissions and >> restricted read only opens to the basic all device opcodes. > > I've been out of this area for a bit, but the problem used to be that > you could send destructive commands to a partition. The right fix > for that would be to not allow SG_IO on partitions at all, just > wondering if anything would be broken by this. Linus wanted to keep that for CAP_SYS_RAWIO. We found two uses of SG_IO on partitions: zfs-fuse used SYNCHRONIZE CACHE; some proprietary driver used TEST UNIT READY. Really, the solution is to make the bitmaps configurable in userspace. It is no less secure than unpriv_sgio. Then the kernel can be configured at build-time to have either an MMC bitmap and a basic whitelist of a dozen commands. We can even avoid working around those few conflicting opcodes; if you're paranoid you can just configure your kernel right. Paolo -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
