From: Leon Romanovsky <leon@kernel.org>
To: Bjorn Helgaas <helgaas@kernel.org>
Cc: "Leon Romanovsky" <leonro@nvidia.com>,
"Krzysztof Wilczyński" <kw@linux.com>,
linux-pci@vger.kernel.org, "Ariel Almog" <ariela@nvidia.com>,
"Aditya Prabhune" <aprabhune@nvidia.com>,
"Hannes Reinecke" <hare@suse.de>,
"Heiner Kallweit" <hkallweit1@gmail.com>,
"Arun Easi" <aeasi@marvell.com>,
"Jonathan Chocron" <jonnyc@amazon.com>,
"Bert Kenward" <bkenward@solarflare.com>,
"Matt Carlson" <mcarlson@broadcom.com>,
"Kai-Heng Feng" <kai.heng.feng@canonical.com>,
"Jean Delvare" <jdelvare@suse.de>,
"Alex Williamson" <alex.williamson@redhat.com>,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH v1 1/2] PCI/sysfs: Change read permissions for VPD attributes
Date: Thu, 7 Nov 2024 20:56:56 +0200 [thread overview]
Message-ID: <f93e6b2393301df6ac960ef6891b1b2812da67f3.1731005223.git.leonro@nvidia.com> (raw)
In-Reply-To: <cover.1731005223.git.leonro@nvidia.com>
From: Leon Romanovsky <leonro@nvidia.com>
The Vital Product Data (VPD) attribute is not readable by regular
user without root permissions. Such restriction is not really needed
for many devices in the world, as data presented in that VPD is not
sensitive and access to the HW is safe and tested.
This change aligns the permissions of the VPD attribute to be accessible
for read by all users, while write being restricted to root only.
For the driver, there is a need to opt-in in order to allow this
functionality.
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
---
drivers/pci/vpd.c | 9 ++++++++-
include/linux/pci.h | 7 ++++++-
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/drivers/pci/vpd.c b/drivers/pci/vpd.c
index e4300f5f304f..7c70930abaa0 100644
--- a/drivers/pci/vpd.c
+++ b/drivers/pci/vpd.c
@@ -156,6 +156,7 @@ static ssize_t pci_vpd_read(struct pci_dev *dev, loff_t pos, size_t count,
void *arg, bool check_size)
{
struct pci_vpd *vpd = &dev->vpd;
+ struct pci_driver *drv;
unsigned int max_len;
int ret = 0;
loff_t end = pos + count;
@@ -167,6 +168,12 @@ static ssize_t pci_vpd_read(struct pci_dev *dev, loff_t pos, size_t count,
if (pos < 0)
return -EINVAL;
+ if (!capable(CAP_SYS_ADMIN)) {
+ drv = to_pci_driver(dev->dev.driver);
+ if (!drv || !drv->downgrade_vpd_read)
+ return -EPERM;
+ }
+
max_len = check_size ? vpd->len : PCI_VPD_MAX_SIZE;
if (pos >= max_len)
@@ -317,7 +324,7 @@ static ssize_t vpd_write(struct file *filp, struct kobject *kobj,
return ret;
}
-static BIN_ATTR(vpd, 0600, vpd_read, vpd_write, 0);
+static BIN_ATTR_RW(vpd, 0);
static struct bin_attribute *vpd_attrs[] = {
&bin_attr_vpd,
diff --git a/include/linux/pci.h b/include/linux/pci.h
index 573b4c4c2be6..b8fed74e742e 100644
--- a/include/linux/pci.h
+++ b/include/linux/pci.h
@@ -943,6 +943,10 @@ struct module;
* how to manage the DMA themselves and set this flag so that
* the IOMMU layer will allow them to setup and manage their
* own I/O address space.
+ * @downgrade_vpd_read: Device doesn't require root permissions from the users
+ * to read VPD information. The driver doesn't expose any sensitive
+ * information through that interface and safe to be accessed by
+ * unprivileged users.
*/
struct pci_driver {
const char *name;
@@ -960,7 +964,8 @@ struct pci_driver {
const struct attribute_group **dev_groups;
struct device_driver driver;
struct pci_dynids dynids;
- bool driver_managed_dma;
+ bool driver_managed_dma : 1;
+ bool downgrade_vpd_read : 1;
};
#define to_pci_driver(__drv) \
--
2.47.0
next prev parent reply other threads:[~2024-11-07 18:57 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-07 18:56 [PATCH v1 0/2] Fix read permissions for VPD attributes Leon Romanovsky
2024-11-07 18:56 ` Leon Romanovsky [this message]
2024-11-11 20:41 ` [PATCH v1 1/2] PCI/sysfs: Change " Bjorn Helgaas
2024-11-11 21:17 ` Leon Romanovsky
2024-11-11 21:48 ` Bjorn Helgaas
2024-11-12 6:36 ` Leon Romanovsky
2024-11-12 0:34 ` Stephen Hemminger
2024-11-12 6:12 ` Leon Romanovsky
2024-11-12 6:44 ` Heiner Kallweit
2024-11-12 7:26 ` Leon Romanovsky
2024-11-12 21:48 ` Bjorn Helgaas
2024-11-11 21:08 ` Thomas Weißschuh
2024-11-07 18:56 ` [PATCH v1 2/2] net/mlx5: Enable unprivileged read of PCI VPD file Leon Romanovsky
2024-11-07 19:09 ` Jakub Kicinski
2024-11-11 20:31 ` [PATCH v1 0/2] Fix read permissions for VPD attributes Leon Romanovsky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f93e6b2393301df6ac960ef6891b1b2812da67f3.1731005223.git.leonro@nvidia.com \
--to=leon@kernel.org \
--cc=aeasi@marvell.com \
--cc=alex.williamson@redhat.com \
--cc=aprabhune@nvidia.com \
--cc=ariela@nvidia.com \
--cc=bkenward@solarflare.com \
--cc=hare@suse.de \
--cc=helgaas@kernel.org \
--cc=hkallweit1@gmail.com \
--cc=jdelvare@suse.de \
--cc=jonnyc@amazon.com \
--cc=kai.heng.feng@canonical.com \
--cc=kw@linux.com \
--cc=leonro@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=mcarlson@broadcom.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox