Re: [RFC PATCH] sysfs: bin_attr permission checking

[Chris Wright <chrisw@sous-sol.org>]

* Greg KH (greg@kroah.com) wrote:
> On Wed, May 12, 2010 at 12:28:28PM -0700, Chris Wright wrote:
> > * Greg KH (greg@kroah.com) wrote:
> > > On Wed, May 12, 2010 at 11:47:13AM -0700, Chris Wright wrote:
> > > > The PCI config space bin_attr read handler has a hardcoded CAP_SYS_ADMIN
> > > > check to verify privileges before allowing a user to read device
> > > > dependent config space.  This is meant to protect from an unprivileged
> > > > user potentially locking up the box.
> > > > 
> > > > When assigning a PCI device directly to a guest with libvirt and KVM, the 
> > > > sysfs config space file is chown'd to the user that the KVM guest will
> > > > run as.  The guest needs to have full access to the device's config
> > > > space since it's responsible for driving the device.  However, despite
> > > > being the owner of the sysfs file, the CAP_SYS_ADMIN check will not
> > > > allow read access beyond the config header.
> > > > 
> > > > This patch adds a new bin_attr->read_file() callback which adds a struct
> > > > file to the normal argument list.  This allows an implementation such as
> > > > PCI config space bin_attr read_file handler to check both inode
> > > > permission as well as privileges to determine whether to allow
> > > > privileged actions through the handler.
> > > 
> > > Ick, this is all because we like showing different information if the
> > > user is "privileged or not" :(
> > 
> > yup
> > 
> > > Turns out, that this probably isn't the best user api to implement,
> > > remind me never to do that again...
> > 
> > Yeah, it's challenging to deal with.  Alternative here is a new config
> > sysfs entry that doesn't have this 'feature'.  (I looked into trying to
> > allow manageing the internal capable() check externally, not so pretty).
> 
> That would require people to update libpci and maybe their scripts as
> well, which wouldn't be as good.

Not necessarily.  We'd end up with

  /config <-- legacy w/ CAP_SYS_AMDIN check)
  /config_not_f'd_up <-- new one w/out CAP_SYS_ADMIN, default to 0600 root:root

> > > > This is just RFC, although I've tested that it does allow the chown +
> > > > read to work as expected.  Any other ideas of how to handle this are
> > > > welcome.
> > > 
> > > Can we just pass in the 'file' for all users of the bin files instead of
> > > the dentry? 
> > 
> > The dentry doesn't currently go beyond sysfs/bin.c.  So, yes, I pushed
> > 'file' through to last level in bin.c before ->read(), and can certinaly
> > just push through to ->read() as well.
> 
> That would be better than having a 'read_file' callback, right?

I think so.

> > >  You can always get the dentry from the file (as your patch
> > > showes), and there isn't that many users of this interface.  I'd really
> > > rather not have two different types of callbacks here.
> > 
> > Absolutely, this is just RFC (i.e. quicker to compile and test).  What
> > about write()?
> 
> Sure, might as well make it symmetrical :)

:-)

I'll update, split sysfs from pci and resend shortly.

thanks,
chris