From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Matthew Garrett <mjg59@coreos.com>
Cc: Kees Cook <keescook@chromium.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"Rafael J. Wysocki" <rjw@rjwysocki.net>,
Len Brown <len.brown@intel.com>, Pavel Machek <pavel@ucw.cz>,
Ulf Hansson <ulf.hansson@linaro.org>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Tomeu Vizoso <tomeu.vizoso@collabora.com>,
Lukas Wunner <lukas@wunner.de>,
Madalin Bucur <madalin.bucur@nxp.com>,
Sudip Mukherjee <sudipm.mukherjee@gmail.com>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Arnd Bergmann <arnd@arndb.de>,
Andrew Morton <akpm@linux-foundation.org>,
Russell King <rmk+kernel@arm.linux.org.uk>,
Petr Tesarik <ptesarik@suse.com>,
linux-pm@vger.kernel.org, kernel-hardening@lists.openwall.com
Subject: [kernel-hardening] Re: [PATCH] Allow userspace control of runtime disabling/enabling of driver probing
Date: Wed, 4 Jan 2017 20:47:07 +0100 [thread overview]
Message-ID: <20170104194707.GD25268@kroah.com> (raw)
In-Reply-To: <CAPeXnHue8hKFiMsddMTN7Hb5RWBGXWUgy2-kpXNLwBfOdf0QVA@mail.gmail.com>
On Wed, Jan 04, 2017 at 12:31:45PM -0600, Matthew Garrett wrote:
> On Wed, Jan 4, 2017 at 12:10 PM, Matthew Garrett <mjg59@coreos.com> wrote:
> >
> > The USB authentication feature was intended for handling wireless USB
> > devices - it can be reused for this, but the code isn't generic enough
> > to apply to other bus types. The two interact in exactly the way you'd
> > expect, ie they don't. If you use both, then you need to handle both.
>
> And as an example of why the USB authorisation feature isn't
> sufficient - the interface configuration isn't picked until after
> you've authorised the device, which means you can't necessarily tell
> the difference between a keyboard and an ethernet adapter until after
> you've authorised it.
You know the device type and vendor/product id before you authorize it,
you should be able to do this type of detection otherwise it seems
pretty pointless :)
> That defeats the object, but it can't be changed without breaking the
> wireless USB case.
No one has wireless USB devices, this all works the same for any USB
device :)
thanks,
greg k-h
WARNING: multiple messages have this Message-ID (diff)
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Matthew Garrett <mjg59@coreos.com>
Cc: Kees Cook <keescook@chromium.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
"Rafael J. Wysocki" <rjw@rjwysocki.net>,
Len Brown <len.brown@intel.com>, Pavel Machek <pavel@ucw.cz>,
Ulf Hansson <ulf.hansson@linaro.org>,
Mauro Carvalho Chehab <mchehab@kernel.org>,
Tomeu Vizoso <tomeu.vizoso@collabora.com>,
Lukas Wunner <lukas@wunner.de>,
Madalin Bucur <madalin.bucur@nxp.com>,
Sudip Mukherjee <sudipm.mukherjee@gmail.com>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Arnd Bergmann <arnd@arndb.de>,
Andrew Morton <akpm@linux-foundation.org>,
Russell King <rmk+kernel@arm.linux.org.uk>,
Petr Tesarik <ptesarik@suse.com>,
linux-pm@vger.kernel.org, kernel-hardening@lists.openwall.com
Subject: Re: [PATCH] Allow userspace control of runtime disabling/enabling of driver probing
Date: Wed, 4 Jan 2017 20:47:07 +0100 [thread overview]
Message-ID: <20170104194707.GD25268@kroah.com> (raw)
In-Reply-To: <CAPeXnHue8hKFiMsddMTN7Hb5RWBGXWUgy2-kpXNLwBfOdf0QVA@mail.gmail.com>
On Wed, Jan 04, 2017 at 12:31:45PM -0600, Matthew Garrett wrote:
> On Wed, Jan 4, 2017 at 12:10 PM, Matthew Garrett <mjg59@coreos.com> wrote:
> >
> > The USB authentication feature was intended for handling wireless USB
> > devices - it can be reused for this, but the code isn't generic enough
> > to apply to other bus types. The two interact in exactly the way you'd
> > expect, ie they don't. If you use both, then you need to handle both.
>
> And as an example of why the USB authorisation feature isn't
> sufficient - the interface configuration isn't picked until after
> you've authorised the device, which means you can't necessarily tell
> the difference between a keyboard and an ethernet adapter until after
> you've authorised it.
You know the device type and vendor/product id before you authorize it,
you should be able to do this type of detection otherwise it seems
pretty pointless :)
> That defeats the object, but it can't be changed without breaking the
> wireless USB case.
No one has wireless USB devices, this all works the same for any USB
device :)
thanks,
greg k-h
next prev parent reply other threads:[~2017-01-04 19:47 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-03 22:58 [kernel-hardening] [PATCH] Allow userspace control of runtime disabling/enabling of driver probing Kees Cook
2017-01-03 22:58 ` Kees Cook
2017-01-03 23:34 ` [kernel-hardening] " Rafael J. Wysocki
2017-01-03 23:34 ` Rafael J. Wysocki
2017-01-03 23:38 ` [kernel-hardening] " Kees Cook
2017-01-03 23:38 ` Kees Cook
2017-01-04 1:45 ` [kernel-hardening] " Rafael J. Wysocki
2017-01-04 1:45 ` Rafael J. Wysocki
2017-01-04 1:45 ` Rafael J. Wysocki
2017-01-04 9:32 ` [kernel-hardening] " Greg Kroah-Hartman
2017-01-04 9:32 ` Greg Kroah-Hartman
2017-01-04 18:10 ` [kernel-hardening] " Matthew Garrett
2017-01-04 18:10 ` Matthew Garrett
2017-01-04 18:31 ` [kernel-hardening] " Matthew Garrett
2017-01-04 18:31 ` Matthew Garrett
2017-01-04 19:47 ` Greg Kroah-Hartman [this message]
2017-01-04 19:47 ` Greg Kroah-Hartman
2017-01-04 20:01 ` [kernel-hardening] " Matthew Garrett
2017-01-04 20:01 ` Matthew Garrett
2017-01-04 20:47 ` [kernel-hardening] " Greg Kroah-Hartman
2017-01-04 20:47 ` Greg Kroah-Hartman
[not found] ` <CAPeXnHvpp7OkNz=auKXbCPTQcf8NVSmPwz3r89ZckUMQ9Gkf_g@mail.gmail.com>
[not found] ` <CAPeXnHtWBkC24D2mHQk7C=dg5-+7N8Z+pZkQWveYmwyutWvigw@mail.gmail.com>
2017-01-04 20:59 ` [kernel-hardening] " Matthew Garrett
2017-01-04 20:59 ` Matthew Garrett
2017-01-04 21:53 ` [kernel-hardening] " Matthew Garrett
2017-01-04 21:53 ` Matthew Garrett
2017-01-04 22:05 ` [kernel-hardening] " Matthew Garrett
2017-01-04 22:05 ` Matthew Garrett
2017-01-04 19:46 ` [kernel-hardening] " Greg Kroah-Hartman
2017-01-04 19:46 ` Greg Kroah-Hartman
2017-01-04 19:59 ` [kernel-hardening] " Matthew Garrett
2017-01-04 19:59 ` Matthew Garrett
2017-01-05 8:13 ` [kernel-hardening] " Tomeu Vizoso
2017-01-05 8:13 ` Tomeu Vizoso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170104194707.GD25268@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=len.brown@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=lukas@wunner.de \
--cc=madalin.bucur@nxp.com \
--cc=mchehab@kernel.org \
--cc=mjg59@coreos.com \
--cc=pavel@ucw.cz \
--cc=ptesarik@suse.com \
--cc=rjw@rjwysocki.net \
--cc=rmk+kernel@arm.linux.org.uk \
--cc=sudipm.mukherjee@gmail.com \
--cc=tomeu.vizoso@collabora.com \
--cc=ulf.hansson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.