Re: [RFC PATCH] sysfs: bin_attr permission checking

[Greg KH <greg@kroah.com>]

On Wed, May 12, 2010 at 12:28:28PM -0700, Chris Wright wrote:
> * Greg KH (greg@kroah.com) wrote:
> > On Wed, May 12, 2010 at 11:47:13AM -0700, Chris Wright wrote:
> > > The PCI config space bin_attr read handler has a hardcoded CAP_SYS_ADMIN
> > > check to verify privileges before allowing a user to read device
> > > dependent config space.  This is meant to protect from an unprivileged
> > > user potentially locking up the box.
> > > 
> > > When assigning a PCI device directly to a guest with libvirt and KVM, the 
> > > sysfs config space file is chown'd to the user that the KVM guest will
> > > run as.  The guest needs to have full access to the device's config
> > > space since it's responsible for driving the device.  However, despite
> > > being the owner of the sysfs file, the CAP_SYS_ADMIN check will not
> > > allow read access beyond the config header.
> > > 
> > > This patch adds a new bin_attr->read_file() callback which adds a struct
> > > file to the normal argument list.  This allows an implementation such as
> > > PCI config space bin_attr read_file handler to check both inode
> > > permission as well as privileges to determine whether to allow
> > > privileged actions through the handler.
> > 
> > Ick, this is all because we like showing different information if the
> > user is "privileged or not" :(
> 
> yup
> 
> > Turns out, that this probably isn't the best user api to implement,
> > remind me never to do that again...
> 
> Yeah, it's challenging to deal with.  Alternative here is a new config
> sysfs entry that doesn't have this 'feature'.  (I looked into trying to
> allow manageing the internal capable() check externally, not so pretty).

That would require people to update libpci and maybe their scripts as
well, which wouldn't be as good.

> > > This is just RFC, although I've tested that it does allow the chown +
> > > read to work as expected.  Any other ideas of how to handle this are
> > > welcome.
> > 
> > Can we just pass in the 'file' for all users of the bin files instead of
> > the dentry? 
> 
> The dentry doesn't currently go beyond sysfs/bin.c.  So, yes, I pushed
> 'file' through to last level in bin.c before ->read(), and can certinaly
> just push through to ->read() as well.

That would be better than having a 'read_file' callback, right?

> >  You can always get the dentry from the file (as your patch
> > showes), and there isn't that many users of this interface.  I'd really
> > rather not have two different types of callbacks here.
> 
> Absolutely, this is just RFC (i.e. quicker to compile and test).  What
> about write()?

Sure, might as well make it symmetrical :)

thanks,

greg k-h