From: Jeremy Kerr <jk@ozlabs.org>
To: OpenBMC Patches <openbmc-patches@stwcx.xyz>, openbmc@lists.ozlabs.org
Cc: tomjose <tomjoseph@in.ibm.com>
Subject: Re: [PATCH phosphor-host-ipmid] Support for restricted mode for IPMI commands
Date: Thu, 21 Apr 2016 18:08:31 +0800 [thread overview]
Message-ID: <5718A69F.3060902@ozlabs.org> (raw)
In-Reply-To: <1459194642-16791-2-git-send-email-openbmc-patches@stwcx.xyz>
Hi Tom,
> From: tomjose <tomjoseph@in.ibm.com>
Can you use a full name for the commit, and add some detail to the
commit log?
Also, you may want to check out our contributing guidelines:
https://github.com/openbmc/docs/blob/master/contributing.md
> @@ -88,6 +89,12 @@ ipmi_ret_t ipmi_app_set_acpi_power_state(ipmi_netfn_t netfn, ipmi_cmd_t cmd,
> *data_len = 0;
>
> printf("IPMI SET ACPI STATE Ignoring for now\n");
> +
> + if(restricted_mode)
> + {
> + return IPMI_CC_INSUFFICIENT_PRIVILEGE;
> + }
> +
> return rc;
> }
I don't think this is a maintainable method of implementing restricted
mode, for a couple of reasons:
- The checks are scattered throughout the codebase. We would have to
audit every ipmi function to check that restricted mode is
implemented properly.
- If we add new commands, we have no way to ensure the whitelist is
implemented correctly for that command.
We'd be better off implementing the check at a single location, where
the IPMI command is first demultiplexed. This way, we can audit it in a
central location, and have a single list of whitelisted commands.
I'd suggest we have a function, looking something like:
struct {
ipmi_netfn_t netfn;
ipmi_cmd_t cmd;
} ipmi_whitelist[] = {
{ NETFUN_CHASSIS, IPMI_CMD_CHASSIS_CONTROL },
....
}
bool ipmi_command_is_allowed(ipmi_netfn_t netfn, ipmi_cmd_t cmd,
void *data)
{
int i;
if (!restricted_mode)
return true;
for (i = 0; i < ARRAY_SIZE(ipmi_whitelist); i++) {
if (netfn == ipmi_whitelist[i].netfn &&
cmd == ipmi_whitelist[i].cmd)
return true;
}
return false;
}
this would be called from handle_ipmi_command, before we route it to a
handler; if it returns false there, the we return
IPMI_CC_INSUFFICIENT_PRIVILEGE immediately.
This way, we have a whitelist rather than a blacklist, and we can audit
it much more easily.
Regards,
Jeremy
prev parent reply other threads:[~2016-04-21 10:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-28 19:50 [PATCH phosphor-host-ipmid] Support for restricted mode for IPMI commands OpenBMC Patches
2016-03-28 19:50 ` OpenBMC Patches
2016-04-21 10:08 ` Jeremy Kerr [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5718A69F.3060902@ozlabs.org \
--to=jk@ozlabs.org \
--cc=openbmc-patches@stwcx.xyz \
--cc=openbmc@lists.ozlabs.org \
--cc=tomjoseph@in.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.