From: Tejun Heo <tj@kernel.org>
To: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>, Jens Axboe <axboe@kernel.dk>,
lkml <linux-kernel@vger.kernel.org>,
"linux-scsi@vger.kernel.org" <linux-scsi@vger.kernel.org>
Subject: Re: PING^7 (was Re: [PATCH v2 00/14] Corrections and customization of the SG_IO command whitelist (CVE-2012-4542))
Date: Sat, 25 May 2013 17:37:13 +0900 [thread overview]
Message-ID: <20130525083713.GA6179@mtj.dyndns.org> (raw)
In-Reply-To: <1369456502.5008.5.camel@dabdike>
Hey, James.
On Fri, May 24, 2013 at 09:35:02PM -0700, James Bottomley wrote:
> > Well, I'd actually much prefer disabling CDB whitelisting for all !MMC
> > devices if at all possible.
>
> I'll go along with this. I'm also wondering what the problem would be
Don't think we can. It'd be a behavior change clearly visible to
userland at this point.
> if we just allowed all commands on either CAP_SYS_RAWIO or opening the
> device for write, so we just defer to the filesystem permissions and
> restricted read only opens to the basic all device opcodes.
Given that there are quite a few cases where we give out block device
permission accesses, changing the behavior by default is likely too
dangerous.
> Do we have a real world example of this? Getting the kernel out of the
> command filtering business does seem to be a good idea to me.
Something like the following seems workable.
* Fix the security bug. I don't really care how it's fixed as long as
the amount of whitelisted commands goes down not up.
* It's not like we can remove the filter for !MMC devices at this
point, so I think it makes sense to make it per-class so that we can
*remove* commands which aren't relevant for the device type. Also,
we probably wanna add read blinking comment yelling that no further
commands should be added.
* Merge the patch to give out SG_IO access along with write access, so
the use cases which want to give out SG_IO access can do so
explicitly and be fully responsible for the device. This makes
sense to me. If one wants to be allowed to issue raw commands to
the hardware, one takes the full responsibility.
Thanks.
--
tejun
next prev parent reply other threads:[~2013-05-25 8:37 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-06 15:15 [PATCH v2 00/14] Corrections and customization of the SG_IO command whitelist (CVE-2012-4542) Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 01/14] sg_io: pass request_queue to blk_verify_command Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 02/14] sg_io: reorganize list of allowed commands Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 03/14] sg_io: use different default filters for each device class Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 04/14] sg_io: resolve conflicts between commands assigned to multiple classes (CVE-2012-4542) Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 05/14] sg_io: whitelist a few more commands for rare & obsolete device types Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 06/14] sg_io: whitelist another command for multimedia devices Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 07/14] sg_io: whitelist a few more commands for media changers Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 08/14] sg_io: whitelist a few more commands for tapes Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 09/14] sg_io: whitelist a few more commands for disks Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 10/14] sg_io: whitelist a few obsolete commands Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 11/14] sg_io: mark blk_set_cmd_filter_defaults as __init Paolo Bonzini
2013-02-06 15:15 ` [PATCH v2 12/14] sg_io: remove remnants of sysfs SG_IO filters Paolo Bonzini
2013-02-06 15:16 ` [PATCH v2 13/14] sg_io: introduce unpriv_sgio queue flag Paolo Bonzini
2013-02-06 15:16 ` [PATCH v2 14/14] sg_io: use unpriv_sgio to disable whitelisting for scanners Paolo Bonzini
2013-02-13 8:32 ` [PATCH v2 00/14] Corrections and customization of the SG_IO command whitelist (CVE-2012-4542) Paolo Bonzini
2013-02-13 15:35 ` Douglas Gilbert
2013-02-13 15:48 ` Paolo Bonzini
2013-02-20 16:12 ` Paolo Bonzini
2013-03-22 22:30 ` PING^2 " Paolo Bonzini
2013-04-04 18:18 ` PING^3 " Paolo Bonzini
2013-04-17 12:26 ` PING^4 aka The Jon Corbet Effect " Paolo Bonzini
2013-04-27 13:31 ` PING^5 aka New ways to attract attentions " Paolo Bonzini
2013-05-06 20:43 ` PING^6 " Paolo Bonzini
2013-05-22 6:35 ` PING^7 (was Re: [PATCH v2 00/14] Corrections and customization of the SG_IO command whitelist (CVE-2012-4542)) Paolo Bonzini
2013-05-22 9:32 ` Tejun Heo
2013-05-22 9:53 ` Paolo Bonzini
2013-05-22 10:02 ` Tejun Heo
2013-05-22 10:23 ` Paolo Bonzini
2013-05-22 12:07 ` James Bottomley
2013-05-22 14:07 ` Paolo Bonzini
2013-05-22 16:31 ` Paolo Bonzini
2013-05-22 13:41 ` Tejun Heo
2013-05-22 14:12 ` Paolo Bonzini
2013-05-22 14:30 ` Tejun Heo
2013-05-22 15:00 ` Paolo Bonzini
2013-05-22 19:30 ` Tejun Heo
2013-05-22 21:18 ` Paolo Bonzini
2013-05-22 22:17 ` Tejun Heo
2013-05-23 0:54 ` Tejun Heo
2013-05-23 7:45 ` Paolo Bonzini
2013-05-23 9:02 ` Tejun Heo
2013-05-23 9:47 ` Paolo Bonzini
2013-05-24 1:44 ` Tejun Heo
2013-05-24 7:13 ` Paolo Bonzini
2013-05-24 8:02 ` Tejun Heo
2013-05-24 8:31 ` Paolo Bonzini
2013-05-24 9:07 ` Tejun Heo
2013-05-24 9:45 ` Paolo Bonzini
2013-05-24 22:20 ` Tejun Heo
2013-05-25 4:35 ` James Bottomley
2013-05-25 5:27 ` Christoph Hellwig
2013-05-25 7:05 ` Paolo Bonzini
2013-05-25 7:11 ` Christoph Hellwig
2013-05-25 7:21 ` Paolo Bonzini
2013-06-21 11:57 ` Christoph Hellwig
2013-05-25 8:37 ` Tejun Heo [this message]
2013-05-25 11:14 ` Paolo Bonzini
2013-05-25 12:48 ` Tejun Heo
2013-05-25 12:56 ` Paolo Bonzini
2013-05-22 15:03 ` Theodore Ts'o
2013-05-22 15:53 ` Paolo Bonzini
2013-05-22 16:32 ` Martin K. Petersen
2013-05-22 17:00 ` Paolo Bonzini
2013-05-22 18:11 ` Theodore Ts'o
2013-05-22 19:37 ` Paolo Bonzini
2013-05-22 20:19 ` Theodore Ts'o
2013-05-22 20:36 ` Paolo Bonzini
2013-05-25 3:54 ` Vladislav Bolkhovitin
2013-05-28 20:25 ` Martin K. Petersen
2013-05-29 6:12 ` Vladislav Bolkhovitin
2013-05-22 20:39 ` Tejun Heo
2013-05-22 21:12 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130525083713.GA6179@mtj.dyndns.org \
--to=tj@kernel.org \
--cc=James.Bottomley@HansenPartnership.com \
--cc=axboe@kernel.dk \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).