All of lore.kernel.org
 help / color / mirror / Atom feed
From: Vasiliy Kulikov <segooon@gmail.com>
To: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: check capabilities in open()
Date: Sat, 24 Jul 2010 16:07:01 +0000	[thread overview]
Message-ID: <20100724160701.GA4907@albatros> (raw)

Hi,

I've found that some drivers check process capabilities via capable() in
open(), not in ioctl()/write()/etc.

I cannot find answer in POSIX, but IMO process expects that file
descriptors of priviledged user and file descriptors of the same
file/device are the same in priviledge aspect. Driver should deny/allow
open() and deny/allow ioctl() based on user priviledges. The path how
the process gained this fd doesn't matter.

So I think these 2 examples should be equal:

1) root process opened the file and then dropped its priviledges

2) nonroot process opened the file

Currently gained fds are different in priviledge aspect.


If you think these are bugs, I can move capable() checking down to
ioctl()/write()/read()/etc.



This is the full list of such drivers:

drivers/staging/comedi/comedi_fops.c
drivers/oprofile/event_buffer.c
drivers/s390/char/vmcp.c
drivers/s390/char/zcore.c
drivers/net/ppp_generic.c
drivers/scsi/3w-sas.c
drivers/scsi/pmcraid.c
drivers/scsi/megaraid.c
drivers/scsi/megaraid/megaraid_sas.c
drivers/scsi/megaraid/megaraid_mm.c
drivers/char/mem.c
drivers/char/tty_io.c
drivers/char/agp/frontend.c
drivers/char/apm-emulation.c


This is coccinelle script to find that:

@ r1 @
identifier fops;
identifier openx;
@@

struct file_operations fops = {
...
.open       = openx,
...
};


@@
identifier r1.openx;
@@

openx(...)
{
...
*capable(...)
...
}

WARNING: multiple messages have this Message-ID (diff)
From: Vasiliy Kulikov <segooon@gmail.com>
To: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: check capabilities in open()
Date: Sat, 24 Jul 2010 20:07:01 +0400	[thread overview]
Message-ID: <20100724160701.GA4907@albatros> (raw)

Hi,

I've found that some drivers check process capabilities via capable() in
open(), not in ioctl()/write()/etc.

I cannot find answer in POSIX, but IMO process expects that file
descriptors of priviledged user and file descriptors of the same
file/device are the same in priviledge aspect. Driver should deny/allow
open() and deny/allow ioctl() based on user priviledges. The path how
the process gained this fd doesn't matter.

So I think these 2 examples should be equal:

1) root process opened the file and then dropped its priviledges

2) nonroot process opened the file

Currently gained fds are different in priviledge aspect.


If you think these are bugs, I can move capable() checking down to
ioctl()/write()/read()/etc.



This is the full list of such drivers:

drivers/staging/comedi/comedi_fops.c
drivers/oprofile/event_buffer.c
drivers/s390/char/vmcp.c
drivers/s390/char/zcore.c
drivers/net/ppp_generic.c
drivers/scsi/3w-sas.c
drivers/scsi/pmcraid.c
drivers/scsi/megaraid.c
drivers/scsi/megaraid/megaraid_sas.c
drivers/scsi/megaraid/megaraid_mm.c
drivers/char/mem.c
drivers/char/tty_io.c
drivers/char/agp/frontend.c
drivers/char/apm-emulation.c


This is coccinelle script to find that:

@ r1 @
identifier fops;
identifier openx;
@@

struct file_operations fops = {
...
.open       = openx,
...
};


@@
identifier r1.openx;
@@

openx(...)
{
...
*capable(...)
...
}

             reply	other threads:[~2010-07-24 16:07 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-07-24 16:07 Vasiliy Kulikov [this message]
2010-07-24 16:07 ` check capabilities in open() Vasiliy Kulikov
2010-07-24 18:23 ` Al Viro
2010-07-24 18:23   ` Al Viro
2010-07-25  5:45   ` Vasiliy Kulikov
2010-07-25  5:45     ` Vasiliy Kulikov
2010-07-25  9:23     ` Vasiliy Kulikov
2010-07-25  9:23       ` Vasiliy Kulikov
2010-07-26 11:23     ` Ted Ts'o
2010-07-26 11:23       ` Ted Ts'o
2010-07-26 16:52       ` Vasiliy Kulikov
2010-07-26 16:52         ` Vasiliy Kulikov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100724160701.GA4907@albatros \
    --to=segooon@gmail.com \
    --cc=kernel-janitors@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.