From: Jesse Barnes <jbarnes@virtuousgeek.org>
To: Chris Wright <chrisw@sous-sol.org>
Cc: James Morris <jmorris@namei.org>,
linux-kernel@vger.kernel.org, Eric Paris <eparis@redhat.com>,
Don Dutile <ddutile@redhat.com>,
Greg Kroah-Hartman <gregkh@suse.de>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
linux-pci@vger.kernel.org
Subject: Re: [PATCH 2/2 v2] pci: use security_capable() when checking capablities during config space read
Date: Fri, 4 Mar 2011 10:25:22 -0800 [thread overview]
Message-ID: <20110304102522.5c126fcf@jbarnes-desktop> (raw)
In-Reply-To: <20110210235856.GD9869@sequoia.sous-sol.org>
On Thu, 10 Feb 2011 15:58:56 -0800
Chris Wright <chrisw@sous-sol.org> wrote:
> * James Morris (jmorris@namei.org) wrote:
> > What about these other users of cap_raised?
> >
> > drivers/block/drbd/drbd_nl.c: if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN)) {
> > drivers/md/dm-log-userspace-transfer.c: if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))
> > drivers/staging/pohmelfs/config.c: if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))
> > drivers/video/uvesafb.c: if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))
>
> Those are a security_netlink_recv() variant. They should be converted
> although makes sense as a different patchset.
>
> > Also, should this have a reported-by for Eric ?
>
> Yes it should, thanks. Below is patch with Reported-by added (seemed
> overkill to respin the series; holler if that's perferred).
>
> thanks,
> -chris
> ---
>
> From: Chris Wright <chrisw@sous-sol.org>
> Subject: [PATCH 2/2 v2] pci: use security_capable() when checking capablities during config space read
>
> Eric Paris noted that commit de139a3 ("pci: check caps from sysfs file
> open to read device dependent config space") caused the capability check
> to bypass security modules and potentially auditing. Rectify this by
> calling security_capable() when checking the open file's capabilities
> for config space reads.
>
> Reported-by: Eric Paris <eparis@redhat.com>
> Cc: Eric Paris <eparis@redhat.com>
> Cc: Greg Kroah-Hartman <gregkh@suse.de>
> Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
> Cc: linux-pci@vger.kernel.org
> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
> ---
> drivers/pci/pci-sysfs.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
Sorry for the late reply, but this is fine with me. Should probably
just get pushed along with the change to security_capable (assuming
that hasn't been done already).
Acked-by: Jesse Barnes <jbarnes@virtuousgeek.org>
--
Jesse Barnes, Intel Open Source Technology Center
next prev parent reply other threads:[~2011-03-04 18:25 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-10 6:11 [PATCH 0/2] pci: refer to LSM when accessing device dependent config space Chris Wright
2011-02-10 6:11 ` [PATCH 1/2] security: add cred argument to security_capable() Chris Wright
2011-02-10 13:43 ` Serge E. Hallyn
2011-02-10 16:01 ` Casey Schaufler
2011-02-10 16:08 ` Chris Wright
2011-02-10 16:25 ` Casey Schaufler
2011-02-10 6:11 ` [PATCH 2/2] pci: use security_capable() when checking capablities during config space read Chris Wright
2011-02-10 8:23 ` James Morris
2011-02-10 23:58 ` [PATCH 2/2 v2] " Chris Wright
2011-02-14 17:14 ` Eric Paris
2011-03-04 18:25 ` Jesse Barnes [this message]
2011-02-11 7:01 ` [PATCH 0/2] pci: refer to LSM when accessing device dependent config space James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110304102522.5c126fcf@jbarnes-desktop \
--to=jbarnes@virtuousgeek.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=chrisw@sous-sol.org \
--cc=ddutile@redhat.com \
--cc=eparis@redhat.com \
--cc=gregkh@suse.de \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox