Re: [PATCH] scsi: Silence unnecessary warnings about ioctl to partition

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Paolo Bonzini <pbonzini@redhat.com>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Jan Kara <jack@suse.cz>, Jens Axboe <axboe@kernel.dk>,
	LKML <linux-kernel@vger.kernel.org>,
	James Bottomley <JBottomley@parallels.com>,
	linux-scsi@vger.kernel.org
Subject: Re: [PATCH] scsi: Silence unnecessary warnings about ioctl to partition
Date: Wed, 02 May 2012 13:24:19 +0200	[thread overview]
Message-ID: <4FA11963.3040007@redhat.com> (raw)
In-Reply-To: <20120502121208.3c19a9bc@pyramind.ukuu.org.uk>

Il 02/05/2012 13:12, Alan Cox ha scritto:
>> Sure, but then disallowing the ioctls for processes with CAP_SYS_RAWIO
>> will not cause regressions and _can_ happen.  The transition period only
> 
> The user has CAP_SYS_RAWIO, they can already do it by poking the
> registers on the chip directly. It is a nonsense to attempt to block or
> warn about this.

Not true, for example CAP_SYS_RAWIO is still subject to access control.
 Even simple Unix DAC can prevent you from issuing register writes to
/dev/sdb, while letting you do so on /dev/sda and access /dev/sdb1.  I'm
not inventing anything, the old ATA subsystem is already blocking most
"dangerous" ioctls for partitions, even if you have CAP_SYS_RAWIO.

Now of course CAP_SYS_RAWIO lets you use ioperm or iopl, but that's a
separate issue and only limited to x86.

>> up and implement a very restrictive filter for SCSI commands sent to
>> partition.
> 
> The process has CAP_SYS_RAWIO it can already bypass any check you try and
> put in place.

Almost any capability can be abused to bypass checks.  True,
CAP_SYS_RAWIO is especially good at that, but still you can try.

>> The right patch is one that prepares for these step,
> 
> Doesn't look very right to me.
> 
>> http://permalink.gmane.org/gmane.linux.kernel/1254625 for example.  It
>> leaves the warning only for SG_IO, and silently blocks the rest (more
>> rationale in the commit message there).
> 
> Even the printk in that patch is wrong. We have capabilities. Being a
> "root" user is a meaningless distinction here so your ratelimited printk
> isn't just bogus - its wrong. It may have got into RHEL somehow but the
> kernel QA process is a bit higher standard than this proposed patch.

Indeed, RHEL doesn't have the warning at all and blocks all ioctls
including SG_IO (and in the past six months nobody has complained that
something stopped working for them).  Never said the patch is perfect...

> A process with CAP_SYS_RAWIO has total power. It's assumed to know what
> it is doing. Trying to block it doing stuff like that simply makes
> authors do them via different more crass methods.

Getting appropriate permission on device nodes is less crass than
abusing partition device nodes.

Paolo

next prev parent reply	other threads:[~2012-05-02 11:24 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-05-02 10:10 [PATCH] scsi: Silence unnecessary warnings about ioctl to partition Jan Kara
2012-05-02 10:10 ` Jan Kara
2012-05-02 10:15 ` Paolo Bonzini
2012-05-02 10:37   ` Jens Axboe
2012-05-02 10:54   ` Alan Cox
2012-05-02 11:02     ` Paolo Bonzini
2012-05-02 11:12       ` Alan Cox
2012-05-02 11:24         ` Paolo Bonzini [this message]
2012-05-02 12:05           ` Alan Cox
2012-05-02 12:23             ` Paolo Bonzini
2012-05-02 19:38           ` Mark Lord
2012-05-03  7:47             ` Paolo Bonzini
2012-05-03 12:40               ` Mark Lord
2012-05-03 12:47                 ` Paolo Bonzini
2012-05-03 17:36                   ` Mark Lord
2012-05-04  6:39                     ` Paolo Bonzini
2012-05-04 13:06                       ` Mark Lord
2012-05-04 13:08                         ` Paolo Bonzini
2012-05-04 13:11                         ` Mark Lord
2012-05-04 13:24                           ` Mark Lord
2012-05-02 13:51   ` Jan Kara
2012-05-02 13:59     ` Paolo Bonzini
2012-05-02 15:10       ` Alan Cox
2012-05-02 15:49         ` Paolo Bonzini
2012-05-02 20:49           ` Paolo Bonzini
2012-05-02 19:49       ` Jan Kara
2012-05-02 21:16         ` Paolo Bonzini
2012-06-15  8:14 ` Paolo Bonzini
2012-06-15  8:46   ` Jan Kara
  -- strict thread matches above, loose matches on Subject: below --
2012-06-15 10:50 Jan Kara
2012-06-15 10:50 ` Jan Kara
2012-06-15 10:51 ` Jens Axboe
2012-06-15 13:58   ` Nick Bowler
2012-06-15 14:22     ` Paolo Bonzini
2012-06-15 14:23     ` Jan Kara
2012-06-15 14:31       ` Nick Bowler
2012-06-15 11:00 ` Alan Cox

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4FA11963.3040007@redhat.com \
    --to=pbonzini@redhat.com \
    --cc=JBottomley@parallels.com \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=axboe@kernel.dk \
    --cc=jack@suse.cz \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-scsi@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.