From: Elias da Silva <silva@aurigatec.de>
To: Jens Axboe <axboe@suse.de>
Cc: lkml <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] drivers/block/scsi_ioctl.c, Video DVD playback support
Date: Mon, 24 Jan 2005 23:10:00 +0100 [thread overview]
Message-ID: <200501242310.00184.silva@aurigatec.de> (raw)
In-Reply-To: <20050124203948.GR2707@suse.de>
On Monday 24 January 2005 21:39, you wrote:
[snip]
: > This is true for protected media because of the authentication
: > process needed between "host" and DVD device. IMHO,
: > the classification of the opcodes
: >
: > a. GPCMD_SEND_KEY and
: > b. GPCMD_SET_STREAMING
: >
: > as only "save for write" is wrong.
:
: You need to explain why you think that is so, since this is the core of
: the argument. The only thing I can say is that perhaps SEND_KEY should
: even be root only, since it has a fairly large scope.
This is exactly the point: if the kernel wants to be safe, the
authentication procedure should be totally implemented in the kernel
and be protected against further changes via "alternative" ways...
but it isn't now and probably won't be although it could be.
On the other hand I don't think it is a good idea to let only
root read a video DVD an a Linux system.
[snip]
: > Furthermore, if you use
: > a. cdrom_ioctl (..., DVD_AUTH,...) instead of
: > b. cdrom_ioctl (..., CDROM_SEND_PACKET,...)
: > -> scsi_cmd_ioctl()-> sg_io()-> verify_command()
: >
: > the same authentication procedure works as expected on a
: > RONLY opened device!
:
: DVD_AUTH by-passes scsi_ioctl.c, so yes.
[snip]
:The problem is that it is policy, and it has to
: be restrictive to be safe.
Yes, and with this "alternative" way to to things in the kernel
a user can complete circumvent the restrictive policy now
implemented in verify_command(). So you are securing
the backdoor and leaving the frontdoor completely open, right?
Now if safety is top priority, than
a. the authentication must be implemented by the kernel and
b. there should be no other way to access the device and
completely circumvent the policy enforcement.
or
we both agree, that in a situation where a user has exclusive
access to the device it would be OK to issue a SEND_KEY, even
if he uses RONLY mode for access.
It is as you wrote a silly situation but the current implementation
don't augment security but instead prevents "innocent" software
to continue to run.
Regards,
Elias
next prev parent reply other threads:[~2005-01-24 22:20 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-01-22 2:27 [PATCH] drivers/block/scsi_ioctl.c, Video DVD playback support Elias da Silva
2005-01-24 8:36 ` Jens Axboe
2005-01-24 19:59 ` Elias da Silva
2005-01-24 20:39 ` Jens Axboe
2005-01-24 22:10 ` Elias da Silva [this message]
2005-01-25 0:01 ` Alan Cox
2005-01-25 8:05 ` Jens Axboe
2005-01-25 9:29 ` Elias da Silva
2005-01-25 12:44 ` Alan Cox
2005-01-25 15:52 ` Elias da Silva
2005-01-25 12:45 ` Jens Axboe
2005-01-25 16:13 ` Elias da Silva
2005-01-25 16:21 ` Jens Axboe
2005-01-25 16:28 ` Elias da Silva
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200501242310.00184.silva@aurigatec.de \
--to=silva@aurigatec.de \
--cc=axboe@suse.de \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox