From: Paolo Bonzini <pbonzini@redhat.com>
To: Christoph Hellwig <hch@infradead.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>,
Tejun Heo <tj@kernel.org>, Jens Axboe <axboe@kernel.dk>,
lkml <linux-kernel@vger.kernel.org>,
"linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>
Subject: Re: PING^7 (was Re: [PATCH v2 00/14] Corrections and customization of the SG_IO command whitelist (CVE-2012-4542))
Date: Sat, 25 May 2013 09:21:10 +0200 [thread overview]
Message-ID: <51A06666.1060207@redhat.com> (raw)
In-Reply-To: <20130525071118.GA11912@infradead.org>
Il 25/05/2013 09:11, Christoph Hellwig ha scritto:
> > Linus wanted to keep that for CAP_SYS_RAWIO. We found two uses of SG_IO
> > on partitions: zfs-fuse used SYNCHRONIZE CACHE; some proprietary driver
> > used TEST UNIT READY.
> >
> > Really, the solution is to make the bitmaps configurable in userspace.
> > It is no less secure than unpriv_sgio. Then the kernel can be
> > configured at build-time to have either an MMC bitmap and a basic
> > whitelist of a dozen commands. We can even avoid working around those
> > few conflicting opcodes; if you're paranoid you can just configure your
> > kernel right.
>
> Keep it simple. Allowing SG_IO for CAP_SYS_RAWIO probably is fine,
> allowing it for permissions only clearly isn't. All the per-command
> filetering is just complete bullshit and the kind of bloat that
> eventually will make Linux unmaintainable.
What I'm proposing is:
- by default, only allow INQUIRY / REPORT LUNS / TEST UNIT READY. Keep
the old whitelist available for backwards-compatibility, configurable at
build-time.
- let CAP_SYS_ADMIN users set a different per-device whitelist.
Paolo
next prev parent reply other threads:[~2013-05-25 7:21 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-06 15:15 [PATCH v2 00/14] Corrections and customization of the SG_IO command whitelist (CVE-2012-4542) Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 01/14] sg_io: pass request_queue to blk_verify_command Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 02/14] sg_io: reorganize list of allowed commands Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 03/14] sg_io: use different default filters for each device class Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 04/14] sg_io: resolve conflicts between commands assigned to multiple classes (CVE-2012-4542) Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 05/14] sg_io: whitelist a few more commands for rare & obsolete device types Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 06/14] sg_io: whitelist another command for multimedia devices Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 07/14] sg_io: whitelist a few more commands for media changers Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 08/14] sg_io: whitelist a few more commands for tapes Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 09/14] sg_io: whitelist a few more commands for disks Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 10/14] sg_io: whitelist a few obsolete commands Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 11/14] sg_io: mark blk_set_cmd_filter_defaults as __init Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 12/14] sg_io: remove remnants of sysfs SG_IO filters Paolo Bonzini
2013-02-06 15:16 ` [PATCH v2 13/14] sg_io: introduce unpriv_sgio queue flag Paolo Bonzini
2013-02-06 15:16 ` [PATCH v2 14/14] sg_io: use unpriv_sgio to disable whitelisting for scanners Paolo Bonzini
2013-02-13 8:32 ` [PATCH v2 00/14] Corrections and customization of the SG_IO command whitelist (CVE-2012-4542) Paolo Bonzini
2013-02-13 8:32 ` Paolo Bonzini
2013-02-13 15:35 ` Douglas Gilbert
2013-02-13 15:48 ` Paolo Bonzini
2013-02-20 16:12 ` Paolo Bonzini
2013-02-20 16:12 ` Paolo Bonzini
2013-03-22 22:30 ` PING^2 " Paolo Bonzini
2013-04-04 18:18 ` PING^3 " Paolo Bonzini
2013-04-04 18:18 ` Paolo Bonzini
2013-04-17 12:26 ` PING^4 aka The Jon Corbet Effect " Paolo Bonzini
2013-04-27 13:31 ` PING^5 aka New ways to attract attentions " Paolo Bonzini
2013-04-27 13:31 ` Paolo Bonzini
2013-05-06 20:43 ` PING^6 " Paolo Bonzini
2013-05-22 6:35 ` PING^7 (was Re: [PATCH v2 00/14] Corrections and customization of the SG_IO command whitelist (CVE-2012-4542)) Paolo Bonzini
2013-05-22 9:32 ` Tejun Heo
2013-05-22 9:53 ` Paolo Bonzini
2013-05-22 10:02 ` Tejun Heo
2013-05-22 10:23 ` Paolo Bonzini
2013-05-22 12:07 ` James Bottomley
2013-05-22 14:07 ` Paolo Bonzini
2013-05-22 16:31 ` Paolo Bonzini
2013-05-22 16:31 ` Paolo Bonzini
2013-05-22 13:41 ` Tejun Heo
2013-05-22 14:12 ` Paolo Bonzini
2013-05-22 14:30 ` Tejun Heo
2013-05-22 15:00 ` Paolo Bonzini
2013-05-22 19:30 ` Tejun Heo
2013-05-22 21:18 ` Paolo Bonzini
2013-05-22 22:17 ` Tejun Heo
2013-05-23 0:54 ` Tejun Heo
2013-05-23 7:45 ` Paolo Bonzini
2013-05-23 9:02 ` Tejun Heo
2013-05-23 9:47 ` Paolo Bonzini
2013-05-24 1:44 ` Tejun Heo
2013-05-24 7:13 ` Paolo Bonzini
2013-05-24 8:02 ` Tejun Heo
2013-05-24 8:31 ` Paolo Bonzini
2013-05-24 9:07 ` Tejun Heo
2013-05-24 9:45 ` Paolo Bonzini
2013-05-24 22:20 ` Tejun Heo
2013-05-25 4:35 ` James Bottomley
2013-05-25 5:27 ` Christoph Hellwig
2013-05-25 7:05 ` Paolo Bonzini
2013-05-25 7:11 ` Christoph Hellwig
2013-05-25 7:21 ` Paolo Bonzini [this message]
2013-06-21 11:57 ` Christoph Hellwig
2013-05-25 8:37 ` Tejun Heo
2013-05-25 11:14 ` Paolo Bonzini
2013-05-25 12:48 ` Tejun Heo
2013-05-25 12:56 ` Paolo Bonzini
2013-05-22 15:03 ` Theodore Ts'o
2013-05-22 15:53 ` Paolo Bonzini
2013-05-22 16:32 ` Martin K. Petersen
2013-05-22 17:00 ` Paolo Bonzini
2013-05-22 18:11 ` Theodore Ts'o
2013-05-22 19:37 ` Paolo Bonzini
2013-05-22 20:19 ` Theodore Ts'o
2013-05-22 20:36 ` Paolo Bonzini
2013-05-25 3:54 ` Vladislav Bolkhovitin
2013-05-28 20:25 ` Martin K. Petersen
2013-05-29 6:12 ` Vladislav Bolkhovitin
2013-05-22 20:39 ` Tejun Heo
2013-05-22 21:12 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51A06666.1060207@redhat.com \
--to=pbonzini@redhat.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=axboe@kernel.dk \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.