From: Douglas Gilbert <dgilbert@interlog.com>
To: Peter Jones <pjones@redhat.com>
Cc: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>,
adel.gadllah@gmail.com, matthew@wil.cx,
linux-scsi@vger.kernel.org, jens.axboe@oracle.com
Subject: Re: [PATCH/RFC v3] allow userspace to modify scsi command filter on per device basis
Date: Wed, 18 Jun 2008 01:01:38 +0200 [thread overview]
Message-ID: <48584252.5030901@interlog.com> (raw)
In-Reply-To: <48583074.8010909@redhat.com>
Peter Jones wrote:
> FUJITA Tomonori wrote:
>
>> Well, this changes sg behaviour since sg's allow_ops filter has a
>> access permission different from blk_verify_command filter's.
> >
>> I guess that the first thing you need to do is that figuring out a
>> proper access permission for each command, which sg maintainer, etc
>> can agree. It's pretty hard and that's the reason why this patch has
>> not been merged for years, I think.
>
> I don't think this logic is sound.
That depends on your viewpoint.
IMO all command filtering should be dropped **. We now have
ATA commands tunnelled through SCSI commands (e.g. via SAT)
and will soon have encrypted SCSI commands. Are per device
command filters being proposed? If not, why should we have
the same SCSI command filter for a USB BD drive and a SCSI
enclosure services (SES) device controlling a FC array, just
because they are on the same system?
Why do linux kernel developers have such a hangup about
command filtering? If the user has sufficient permissions
on the pass-through device, let them send commands, simple.
Let udev probe the device, and set its permissions according
to udev's policies. Let the target device do command filtering!
Would any sensible user accept Linux if the kernel developers
decided what could and could not be written to a file?
As far as I can see Microsoft only filters one SCSI command
in their SCSI pass-though, that is the EXTENDED COPY command.
That might give security folks a warm feeling inside but
not someone who needs to use that command via that OS.
Faced with that limitation I would ask the SCSI device
supplier to define a vendor specific SCSI command that did
the same as EXTENDED COPY.
We have situations where the device is smart enough to
decide what SCSI commands should be allowed. For example
a RAID presents its logical volume as a /dev/sd* device
and exposes its physical disks as /dev/sg* devices. In that
situation I think that it is sensible for RAID controller
to disallow WRITE (FORMAT, etc) commands that will corrupt
the state of the volume. Meanwhile smartmontools can be used
to monitor the health of the physical drives via /dev/sg*
(or bsg) devices.
> The patch makes it so distros (and individuals, if they're so inclined)
> can configure the filter correctly for whatever hardware is present,
> regardless of the kernel's ideas of which commands are correct. It
> leaves intact the defaults from the current list used by SG_IO and bsg
> (and maybe some other interfaces?), which most programs have been using
> for quite some time.
>
> If anything, sg is overdue with converting to using the same command
> filter as other direct-scsi-command mechanisms. sg_allow_access() is
> really not something we should be keeping.
>
> I don't think this is a reason not to merge the patch; in fact, quite
> the opposite. This is another case where we've got a specific filter in
> one code path that doesn't match any of the others. Fixing it is
> something that needs to be done. Making it configurable from the
> userland at the same time effectively aleviates the pain that could
> result from doing so.
Sounds like I'm wasting my time.
** So I think sg's command filtering goes too far and the
block layer's filtering just compounds the silliness (and
tilts it in the direction of older MMC commands).
Doug Gilbert
next prev parent reply other threads:[~2008-06-17 23:09 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-06-13 19:33 [PATCH/RFC] allow userspace to modify scsi command filter on per device basis Adel Gadllah
2008-06-13 19:54 ` Matthew Wilcox
2008-06-13 20:22 ` Adel Gadllah
2008-06-13 20:23 ` Adel Gadllah
2008-06-14 6:51 ` [PATCH/RFC v2] " Adel Gadllah
2008-06-16 2:55 ` FUJITA Tomonori
2008-06-16 5:49 ` Adel Gadllah
2008-06-16 6:13 ` FUJITA Tomonori
2008-06-16 9:22 ` [PATCH/RFC v3] " Adel Gadllah
2008-06-17 20:14 ` FUJITA Tomonori
2008-06-17 21:45 ` Peter Jones
2008-06-17 22:40 ` FUJITA Tomonori
2008-06-17 22:49 ` FUJITA Tomonori
2008-06-17 23:01 ` Douglas Gilbert [this message]
2008-06-18 1:13 ` Pete Wyckoff
2008-06-18 7:33 ` Adel Gadllah
2008-06-18 14:55 ` James Smart
2008-06-18 14:56 ` Peter Jones
2008-06-26 10:10 ` Adel Gadllah
2008-06-26 10:13 ` Jens Axboe
2008-06-26 14:36 ` FUJITA Tomonori
2008-06-26 15:05 ` Adel Gadllah
2008-06-26 15:08 ` FUJITA Tomonori
2008-06-26 15:26 ` FUJITA Tomonori
2008-07-24 1:11 ` Dan Williams
2008-07-24 3:31 ` FUJITA Tomonori
2008-07-26 9:03 ` [PATCH 0/3] cmd_filter fixes FUJITA Tomonori
2008-07-26 9:03 ` [PATCH 1/3] move cmd_filter from gendisk to request_queue FUJITA Tomonori
2008-07-26 9:03 ` [PATCH 2/3] sg: restore command permission for TYPE_SCANNER FUJITA Tomonori
2008-07-26 9:03 ` [PATCH 3/3] rename blk_scsi_cmd_filter to blk_cmd_filter FUJITA Tomonori
2008-07-30 20:10 ` [PATCH 1/3] move cmd_filter from gendisk to request_queue Peter Jones
2008-07-31 5:13 ` FUJITA Tomonori
2008-08-16 5:47 ` FUJITA Tomonori
2008-07-27 19:59 ` [PATCH 0/3] cmd_filter fixes Adel Gadllah
2008-07-27 20:02 ` Adel Gadllah
2008-07-28 2:18 ` FUJITA Tomonori
2008-07-30 19:59 ` Adel Gadllah
2008-07-31 4:55 ` FUJITA Tomonori
2008-07-31 7:18 ` Matthew Wilcox
2008-07-31 7:24 ` FUJITA Tomonori
2008-07-31 13:04 ` Matthew Wilcox
2008-07-31 15:18 ` FUJITA Tomonori
2008-08-07 18:47 ` Adel Gadllah
2008-08-08 0:20 ` FUJITA Tomonori
2008-08-08 5:54 ` Jens Axboe
2008-08-08 6:11 ` FUJITA Tomonori
2008-08-08 6:15 ` Jens Axboe
2008-08-08 6:29 ` FUJITA Tomonori
2008-08-08 6:35 ` Jens Axboe
2008-08-08 16:53 ` [PATCH 1/2] drop vmerge accounting Mikulas Patocka
2008-08-08 17:07 ` [PATCH 2/2] " Mikulas Patocka
2008-08-15 9:48 ` Jens Axboe
2008-08-15 18:23 ` [PATCH 3/4] " Mikulas Patocka
2008-08-22 9:10 ` Jens Axboe
2008-08-22 9:17 ` Jens Axboe
2008-08-22 16:58 ` Mikulas Patocka
2008-08-22 17:05 ` Mikulas Patocka
2008-08-22 9:29 ` Pierre Ossman
2008-08-22 9:33 ` Jens Axboe
2008-08-22 21:34 ` Mikulas Patocka
2008-08-22 21:35 ` [PATCH 4/4] " Mikulas Patocka
2008-08-15 18:26 ` Mikulas Patocka
2008-08-21 9:26 ` [PATCH 0/3] cmd_filter fixes Adel Gadllah
2008-08-22 9:10 ` Jens Axboe
2008-06-14 20:26 ` [PATCH/RFC] allow userspace to modify scsi command filter on per device basis Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48584252.5030901@interlog.com \
--to=dgilbert@interlog.com \
--cc=adel.gadllah@gmail.com \
--cc=fujita.tomonori@lab.ntt.co.jp \
--cc=jens.axboe@oracle.com \
--cc=linux-scsi@vger.kernel.org \
--cc=matthew@wil.cx \
--cc=pjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.