Re: PING^7 (was Re: [PATCH v2 00/14] Corrections and customization of the SG_IO command whitelist (CVE-2012-4542))

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey, James.

On Fri, May 24, 2013 at 09:35:02PM -0700, James Bottomley wrote:
> > Well, I'd actually much prefer disabling CDB whitelisting for all !MMC
> > devices if at all possible.
> 
> I'll go along with this.  I'm also wondering what the problem would be

Don't think we can.  It'd be a behavior change clearly visible to
userland at this point.

> if we just allowed all commands on either CAP_SYS_RAWIO or opening the
> device for write, so we just defer to the filesystem permissions and
> restricted read only opens to the basic all device opcodes.

Given that there are quite a few cases where we give out block device
permission accesses, changing the behavior by default is likely too
dangerous.

> Do we have a real world example of this?  Getting the kernel out of the
> command filtering business does seem to be a good idea to me.

Something like the following seems workable.

* Fix the security bug.  I don't really care how it's fixed as long as
  the amount of whitelisted commands goes down not up.

* It's not like we can remove the filter for !MMC devices at this
  point, so I think it makes sense to make it per-class so that we can
  *remove* commands which aren't relevant for the device type.  Also,
  we probably wanna add read blinking comment yelling that no further
  commands should be added.

* Merge the patch to give out SG_IO access along with write access, so
  the use cases which want to give out SG_IO access can do so
  explicitly and be fully responsible for the device.  This makes
  sense to me.  If one wants to be allowed to issue raw commands to
  the hardware, one takes the full responsibility.

Thanks.

-- 
tejun
--
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]
  Powered by Linux