From: Stephen Hemminger <stephen@networkplumber.org>
To: Leon Romanovsky <leon@kernel.org>
Cc: "Bjorn Helgaas" <helgaas@kernel.org>,
"Leon Romanovsky" <leonro@nvidia.com>,
"Krzysztof Wilczyński" <kw@linux.com>,
linux-pci@vger.kernel.org, "Ariel Almog" <ariela@nvidia.com>,
"Aditya Prabhune" <aprabhune@nvidia.com>,
"Hannes Reinecke" <hare@suse.de>,
"Heiner Kallweit" <hkallweit1@gmail.com>,
"Arun Easi" <aeasi@marvell.com>,
"Jonathan Chocron" <jonnyc@amazon.com>,
"Bert Kenward" <bkenward@solarflare.com>,
"Matt Carlson" <mcarlson@broadcom.com>,
"Kai-Heng Feng" <kai.heng.feng@canonical.com>,
"Jean Delvare" <jdelvare@suse.de>,
"Alex Williamson" <alex.williamson@redhat.com>,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
"Jakub Kicinski" <kuba@kernel.org>,
"Thomas Weißschuh" <linux@weissschuh.net>
Subject: Re: [PATCH v3] PCI/sysfs: Change read permissions for VPD attributes
Date: Tue, 3 Dec 2024 09:24:56 -0800 [thread overview]
Message-ID: <20241203092456.5dde2476@hermes.local> (raw)
In-Reply-To: <18f36b3cbe2b7e67eed876337f8ba85afbc12e73.1733227737.git.leon@kernel.org>
On Tue, 3 Dec 2024 14:15:28 +0200
Leon Romanovsky <leon@kernel.org> wrote:
> The Vital Product Data (VPD) attribute is not readable by regular
> user without root permissions. Such restriction is not needed at
> all for Mellanox devices, as data presented in that VPD is not
> sensitive and access to the HW is safe and well tested.
>
> This change changes the permissions of the VPD attribute to be accessible
> for read by all users for Mellanox devices, while write continue to be
> restricted to root only.
>
> The main use case is to remove need to have root/setuid permissions
> while using monitoring library [1].
>
> [leonro@vm ~]$ lspci |grep nox
> 00:09.0 Ethernet controller: Mellanox Technologies MT2910 Family [ConnectX-7]
>
> Before:
> [leonro@vm ~]$ ls -al /sys/bus/pci/devices/0000:00:09.0/vpd
> -rw------- 1 root root 0 Nov 13 12:30 /sys/bus/pci/devices/0000:00:09.0/vpd
> After:
> [leonro@vm ~]$ ls -al /sys/bus/pci/devices/0000:00:09.0/vpd
> -rw-r--r-- 1 root root 0 Nov 13 12:30 /sys/bus/pci/devices/0000:00:09.0/vpd
>
> [1] https://developer.nvidia.com/management-library-nvml
> Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
> ---
> Changelog:
> v3:
> * Used | to change file attributes
> * Remove WARN_ON
> v2: https://lore.kernel.org/all/61a0fa74461c15edfae76222522fa445c28bec34.1731502431.git.leon@kernel.org
> * Another implementation to make sure that user is presented with
> correct permissions without need for driver intervention.
> v1: https://lore.kernel.org/all/cover.1731005223.git.leonro@nvidia.com
> * Changed implementation from open-read-to-everyone to be opt-in
> * Removed stable and Fixes tags, as it seems like feature now.
> v0:
> https://lore.kernel.org/all/65791906154e3e5ea12ea49127cf7c707325ca56.1730102428.git.leonro@nvidia.com/
> ---
> drivers/pci/vpd.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/pci/vpd.c b/drivers/pci/vpd.c
> index a469bcbc0da7..a7aa54203321 100644
> --- a/drivers/pci/vpd.c
> +++ b/drivers/pci/vpd.c
> @@ -332,6 +332,13 @@ static umode_t vpd_attr_is_visible(struct kobject *kobj,
> if (!pdev->vpd.cap)
> return 0;
>
> + /*
> + * Mellanox devices have implementation that allows VPD read by
> + * unprivileged users, so just add needed bits to allow read.
> + */
> + if (unlikely(pdev->vendor == PCI_VENDOR_ID_MELLANOX))
> + return a->attr.mode | 0044;
> +
> return a->attr.mode;
> }
>
Could this be with other vendor specific quirks instead?
Also, the wording of the comment is awkward. Suggest:
On Mellanox devices reading VPD is safe for unprivileged users.
next prev parent reply other threads:[~2024-12-03 17:25 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-03 12:15 [PATCH v3] PCI/sysfs: Change read permissions for VPD attributes Leon Romanovsky
2024-12-03 17:24 ` Stephen Hemminger [this message]
2024-12-03 17:40 ` Leon Romanovsky
2024-12-03 20:36 ` Bjorn Helgaas
2024-12-04 6:47 ` Leon Romanovsky
2024-12-17 13:22 ` Leon Romanovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241203092456.5dde2476@hermes.local \
--to=stephen@networkplumber.org \
--cc=aeasi@marvell.com \
--cc=alex.williamson@redhat.com \
--cc=aprabhune@nvidia.com \
--cc=ariela@nvidia.com \
--cc=bkenward@solarflare.com \
--cc=hare@suse.de \
--cc=helgaas@kernel.org \
--cc=hkallweit1@gmail.com \
--cc=jdelvare@suse.de \
--cc=jonnyc@amazon.com \
--cc=kai.heng.feng@canonical.com \
--cc=kuba@kernel.org \
--cc=kw@linux.com \
--cc=leon@kernel.org \
--cc=leonro@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=linux@weissschuh.net \
--cc=mcarlson@broadcom.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.