From: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
To: <Mario.Limonciello@dell.com>
Cc: <greg@kroah.com>, <dvhart@infradead.org>,
<andy.shevchenko@gmail.com>, <linux-kernel@vger.kernel.org>,
<platform-driver-x86@vger.kernel.org>, <luto@kernel.org>,
<quasisec@google.com>, <pali.rohar@gmail.com>,
<rjw@rjwysocki.net>, <mjg59@google.com>, <hch@lst.de>
Subject: Re: [PATCH v7 10/15] platform/x86: dell-smbios: add filtering capability for requests
Date: Fri, 13 Oct 2017 16:19:36 +0100 [thread overview]
Message-ID: <20171013161936.430f7a02@alans-desktop> (raw)
In-Reply-To: <62ce0707d58b42618128e68f3bb9a45f@ausx13mpc124.AMER.DELL.COM>
On Fri, 13 Oct 2017 15:03:10 +0000
> Take off your "kernel" hat and put on a "customer" hat for a few moments
> while I try to put this in practical terms why the whitelist approach doesn't
> scale for what I'm trying to do.
As a customer I'm more worried about someone trashing my system or
breaking my security.
> So considering the above isn't offering stuff like this a decision better made by the OEM?
> If the OEM doen't want customers to be able to modify something we don't offer it in the
> manageability interface. If the kernel community doesn't want people to be
> modifying something the OEM does offer, it can just as well be blacklisted in the
> kernel driver like the current filtering approach offers.
So you implement the rule
if (whitelisted & (capabilities && whitelist->capability_need) ==
whitelist->capability_need))
return ALLOWED;
if (capable(CAP_SYS_RAWIO))
return ALLOWED;
return NO
This puts you in the position where - known tools work and can sometimes
be unprivileged. Privileged tools with enough priv to screw the machien
can work anyway. Which is better than the starting point
You could further enhance this by having a CAP_SYS_RAWIO interface to add
whitelist entries, or to add an eBPF filter that can also make decisions
for you.
Now you've got the ability to push a policy update.
Alan
next prev parent reply other threads:[~2017-10-13 15:20 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-11 16:27 [PATCH v7 00/15] Introduce support for Dell SMBIOS over WMI Mario Limonciello
2017-10-11 16:27 ` [PATCH v7 01/15] platform/x86: wmi: Add new method wmidev_evaluate_method Mario Limonciello
2017-10-11 16:27 ` [PATCH v7 02/15] platform/x86: dell-wmi: increase severity of some failures Mario Limonciello
2017-10-11 16:27 ` [PATCH v7 03/15] platform/x86: dell-wmi: clean up wmi descriptor check Mario Limonciello
2017-10-11 16:27 ` [PATCH v7 04/15] platform/x86: dell-wmi: allow 32k return size in the descriptor Mario Limonciello
2017-10-11 16:31 ` Pali Rohár
2017-10-11 16:37 ` Mario.Limonciello
2017-10-11 16:27 ` [PATCH v7 05/15] platform/x86: dell-wmi-descriptor: split WMI descriptor into it's own driver Mario Limonciello
2017-10-11 16:27 ` [PATCH v7 06/15] platform/x86: wmi: Don't allow drivers to get each other's GUIDs Mario Limonciello
2017-10-11 16:27 ` [PATCH v7 07/15] platform/x86: dell-smbios: only run if proper oem string is detected Mario Limonciello
2017-10-11 16:27 ` [PATCH v7 08/15] platform/x86: dell-smbios: Add a sysfs interface for SMBIOS tokens Mario Limonciello
2017-10-11 16:27 ` [PATCH v7 09/15] platform/x86: dell-smbios: Introduce dispatcher for SMM calls Mario Limonciello
2017-10-11 16:27 ` [PATCH v7 10/15] platform/x86: dell-smbios: add filtering capability for requests Mario Limonciello
2017-10-12 10:09 ` Alan Cox
2017-10-12 13:23 ` Mario.Limonciello
2017-10-12 14:33 ` Pali Rohár
2017-10-12 14:43 ` Mario.Limonciello
2017-10-13 14:18 ` Alan Cox
2017-10-13 0:46 ` Darren Hart
2017-10-13 9:43 ` Greg KH
2017-10-13 10:40 ` Pali Rohár
2017-10-13 15:03 ` Mario.Limonciello
2017-10-13 15:19 ` Alan Cox [this message]
2017-10-13 15:44 ` Mario.Limonciello
2017-10-13 19:46 ` Alan Cox
2017-10-13 22:16 ` Darren Hart
2017-10-13 15:56 ` Greg KH
2017-10-13 17:47 ` Mario.Limonciello
2017-10-13 22:28 ` Darren Hart
2017-10-13 16:37 ` Darren Hart
2017-10-11 16:27 ` [PATCH v7 11/15] platform/x86: dell-smbios-wmi: Add new WMI dispatcher driver Mario Limonciello
2017-10-11 16:27 ` [PATCH v7 12/15] platform/x86: dell-smbios-smm: test for WSMT Mario Limonciello
2017-10-11 16:27 ` [PATCH v7 13/15] platform/x86: wmi: Add sysfs attribute for required_buffer_size Mario Limonciello
2017-10-11 16:27 ` [PATCH v7 14/15] platform/x86: wmi: create userspace interface for drivers Mario Limonciello
2017-10-11 16:27 ` [PATCH v7 15/15] platform/x86: dell-smbios-wmi: introduce userspace interface Mario Limonciello
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171013161936.430f7a02@alans-desktop \
--to=gnomes@lxorguk.ukuu.org.uk \
--cc=Mario.Limonciello@dell.com \
--cc=andy.shevchenko@gmail.com \
--cc=dvhart@infradead.org \
--cc=greg@kroah.com \
--cc=hch@lst.de \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mjg59@google.com \
--cc=pali.rohar@gmail.com \
--cc=platform-driver-x86@vger.kernel.org \
--cc=quasisec@google.com \
--cc=rjw@rjwysocki.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox