From: Krzysztof Opasiak <k.opasiak@samsung.com>
To: "Emilio López" <emilio.lopez@collabora.co.uk>,
gregkh@linuxfoundation.org, stern@rowland.harvard.edu,
kborer@gmail.com
Cc: reillyg@chromium.org, keescook@chromium.org,
linux-api@vger.kernel.org, linux-usb@vger.kernel.org,
linux-kernel@vger.kernel.org, jorgelo@chromium.org,
dan.carpenter@oracle.com
Subject: Re: [PATCH v1 0/1] ioctl to disallow detaching kernel USB drivers
Date: Thu, 26 Nov 2015 10:19:29 +0100 [thread overview]
Message-ID: <5656CEA1.9010203@samsung.com> (raw)
In-Reply-To: <1448466334-21346-1-git-send-email-emilio.lopez@collabora.co.uk>
On 11/25/2015 04:45 PM, Emilio López wrote:
> Hi everyone,
>
> This patch introduces a new ioctl, USBDEVFS_DROP_PRIVILEGES,
> to voluntarily forgo the ability to issue ioctls which may
> interfere with other users of the USB device.
>
> This feature allows a privileged process (in the case of Chrome OS,
> permission_broker) to open a USB device node and then drop a number
> of capabilities that are considered "privileged".
We had the same idea in Tizen but for now we didn't have time to
implement it.
These privileges
> include the ability to reset the device if there are other users
> (most notably a kernel driver) or to disconnect a kernel driver
> from the device. The file descriptor can then be passed to an
> unprivileged process.
And how about switching configuration? This can be also harmful even if
the are no other users for any interface in this configuration.
(Just imagine the situation in which only second config contains an HID
function and when app switch configuration it is activated without user
knowing about this;))
>
> This is useful for granting a process access to a device with
> multiple functions. It won't be able to use its access to one
> function to disrupt or take over control of another function.
I run through your code and as far as I understand above is not exactly
true. Your patch allows only to prevent userspace from accessing
interfaces which has kernel drivers, there is no way to stop an
application from taking control over all free interfaces.
Let's say that your device has 3 interfaces. First of them has a kernel
driver but second and third doesn't. You have 2 apps. One should
communicate using second interface and another one third. But first app
is malicious and it claims all free interfaces of received device (your
patch doesn't prevent this). And when second app starts it is unable to
do anything with the device because all interfaces are taken. How would
you like to handle this?
Moreover I'm not convinced to this patch as it hardcodes the *policy* in
kernel code. Generally our approach (with passing fd from broker to
unprivileged process) was similar but we found out that if we would like
to do this correctly there is much more things to filter than in this
patch. We had two main ideas:
- implement some LSM hooks in ioctls() but this leads to a lot of
additional callbacks in lsm ops struct which even now is very big. But
as a benefit we would get a very flexible policy consistent with other
system policies
- split single usb device node into multiple files which could represent
single endpoins only for io and separate control file for privileged but
it's quite a lot of work and I don't know if any one is going to accept
such a change
Best regards,
--
Krzysztof Opasiak
Samsung R&D Institute Poland
Samsung Electronics
next prev parent reply other threads:[~2015-11-26 9:20 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-25 15:45 [PATCH v1 0/1] ioctl to disallow detaching kernel USB drivers Emilio López
2015-11-25 15:45 ` [PATCH v1] usb: devio: Add " Emilio López
2015-11-26 8:59 ` Peter Chen
2015-11-26 9:20 ` Dan Carpenter
2015-11-26 9:19 ` Krzysztof Opasiak [this message]
2015-11-26 17:29 ` [PATCH v1 0/1] " Greg KH
2015-11-27 8:44 ` Krzysztof Opasiak
2015-11-28 2:39 ` Greg KH
2015-11-30 9:08 ` Oliver Neukum
2015-11-30 16:16 ` Alan Stern
2015-11-30 17:12 ` Krzysztof Opasiak
2015-11-30 17:20 ` Greg KH
2015-11-30 18:48 ` Krzysztof Opasiak
2016-01-19 16:39 ` Emilio López
2016-01-19 18:07 ` Greg KH
2016-01-21 23:54 ` [PATCH v2] usb: devio: Add " Emilio López
2016-01-22 9:41 ` Bjørn Mork
2016-01-25 1:40 ` Emilio López
2016-01-25 8:39 ` Bjørn Mork
2016-01-25 15:21 ` Alan Stern
2016-01-25 15:32 ` Bjørn Mork
2016-01-25 15:46 ` Alan Stern
2016-01-22 16:10 ` Alan Stern
2016-01-25 2:01 ` Emilio López
2016-02-04 3:20 ` [PATCH v3] " Emilio López
2016-02-04 3:46 ` Greg KH
2016-02-04 16:27 ` Alan Stern
2016-02-08 1:56 ` Emilio López
2016-02-15 1:41 ` [PATCH v4] " Emilio López
2016-02-18 18:44 ` Alan Stern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5656CEA1.9010203@samsung.com \
--to=k.opasiak@samsung.com \
--cc=dan.carpenter@oracle.com \
--cc=emilio.lopez@collabora.co.uk \
--cc=gregkh@linuxfoundation.org \
--cc=jorgelo@chromium.org \
--cc=kborer@gmail.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=reillyg@chromium.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox