[PATCH] ptp: Add sysfs attribute to show clock is safe to open RO

[PATCH] ptp: Add sysfs attribute to show clock is safe to open RO

[Wojtek Wasko]

Recent patches introduced in 6.15 implement permissions checks for PTP
clocks. Prior to those, a process with readonly access could modify the
state of PTP devices, in particular the generation and consumption of
PPS signals.

Userspace (e.g. udev) managing the ownership and permissions of device
nodes lacks information as to whether kernel implements the necessary
security checks and whether it is safe to expose readonly access to
PTP devices to unprivileged users. Kernel version checks are cumbersome
and prone to failure, especially if backports are considered [1].

Add a readonly sysfs attribute to PTP clocks, "ro_safe", backed by a
static string.

[1] https://github.com/systemd/systemd/pull/37302#issuecomment-2850510329
---
 drivers/ptp/ptp_sysfs.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/ptp/ptp_sysfs.c b/drivers/ptp/ptp_sysfs.c
index 6b1b8f57cd95..763fc54cf267 100644
--- a/drivers/ptp/ptp_sysfs.c
+++ b/drivers/ptp/ptp_sysfs.c
@@ -28,6 +28,8 @@ static ssize_t max_phase_adjustment_show(struct device *dev,
 }
 static DEVICE_ATTR_RO(max_phase_adjustment);
 
+static DEVICE_STRING_ATTR_RO(ro_safe, 0444, "1\n");
+
 #define PTP_SHOW_INT(name, var)						\
 static ssize_t var##_show(struct device *dev,				\
 			   struct device_attribute *attr, char *page)	\
@@ -320,6 +322,7 @@ static DEVICE_ATTR_RW(max_vclocks);
 
 static struct attribute *ptp_attrs[] = {
 	&dev_attr_clock_name.attr,
+	&dev_attr_ro_safe.attr.attr,
 
 	&dev_attr_max_adjustment.attr,
 	&dev_attr_max_phase_adjustment.attr,
-- 
2.43.5

Re: [PATCH] ptp: Add sysfs attribute to show clock is safe to open RO

[Andrew Lunn]

On Wed, May 14, 2025 at 05:36:21PM +0300, Wojtek Wasko wrote:
> Recent patches introduced in 6.15 implement permissions checks for PTP
> clocks. Prior to those, a process with readonly access could modify the
> state of PTP devices, in particular the generation and consumption of
> PPS signals.
> 
> Userspace (e.g. udev) managing the ownership and permissions of device
> nodes lacks information as to whether kernel implements the necessary
> security checks and whether it is safe to expose readonly access to
> PTP devices to unprivileged users. Kernel version checks are cumbersome
> and prone to failure, especially if backports are considered [1].
> 
> Add a readonly sysfs attribute to PTP clocks, "ro_safe", backed by a
> static string.

~/linux$ grep -r "ro_safe"
~/linux$ 

At minimum, this needs documentation.

But is this really the first time an issue like this has come up?

Also, what was the argument for adding permission checks, and how was
it argued it was not an ABI change?

   Andrew

Re: [PATCH] ptp: Add sysfs attribute to show clock is safe to open RO

[Vadim Fedorenko]

On 14/05/2025 15:54, Andrew Lunn wrote:
> On Wed, May 14, 2025 at 05:36:21PM +0300, Wojtek Wasko wrote:
>> Recent patches introduced in 6.15 implement permissions checks for PTP
>> clocks. Prior to those, a process with readonly access could modify the
>> state of PTP devices, in particular the generation and consumption of
>> PPS signals.
>>
>> Userspace (e.g. udev) managing the ownership and permissions of device
>> nodes lacks information as to whether kernel implements the necessary
>> security checks and whether it is safe to expose readonly access to
>> PTP devices to unprivileged users. Kernel version checks are cumbersome
>> and prone to failure, especially if backports are considered [1].
>>
>> Add a readonly sysfs attribute to PTP clocks, "ro_safe", backed by a
>> static string.
> 
> ~/linux$ grep -r "ro_safe"
> ~/linux$
> 
> At minimum, this needs documentation.
> 
> But is this really the first time an issue like this has come up?

I haven't seen such kind of discussions previously, but it's more about
netdev area only. The original problem was kinda hidden because all
modern distros had udev rules preventing non-root access to PHC devices,
which effectively means no strict access checks are needed. I cannot
find a good example of device with the same issues quickly...

> Also, what was the argument for adding permission checks, and how was
> it argued it was not an ABI change?

The original discussion was in the thread:

https://lore.kernel.org/netdev/DM4PR12MB8558AB3C0DEA666EE334D8BCBEE82@DM4PR12MB8558.namprd12.prod.outlook.com/

while the change has landed in:

https://lore.kernel.org/netdev/20250303161345.3053496-1-wwasko@nvidia.com/

Re: [PATCH] ptp: Add sysfs attribute to show clock is safe to open RO

[Wojtek Wasko]

On 14/05/2025 15:54, Andrew Lunn wrote:
> ~/linux$ grep -r "ro_safe"
> ~/linux$
>
> At minimum, this needs documentation.

Noted. I'll take care of that in v2.

> Also, what was the argument for adding permission checks, and how was
> it argued it was not an ABI change?

Tightening of permission checks without providing backward compat doesn't seem
to be uncommon. One example I found is Greg K-H's cleanup of mtd driver ioctls
and the subsequent further tightening of mtd ioctl permission checks in
response to CVE-2021-47055:
https://lore.kernel.org/linux-mtd/20200716115346.GA1667288@kroah.com/
https://lore.kernel.org/linux-mtd/20210303155735.25887-1-michael@walle.cc/

Another, older example of "silent" tightening of capabilities/permissions
checks can be found in the SCSI aacraid driver:
https://lore.kernel.org/lkml/20070723145105.01b3acc3@the-village.bc.nu/

> But is this really the first time an issue like this has come up?

I agree with Vadim on this - this issue is a little bit special in that the
original bug was "hidden". In all the examples I could find, security issues
were exposed directly and so the kernel patches "silently" closed the security
hole.  In the case of PTP chardev, udev covered the security issue by
completely disallowing unprivileged access to PTP chardevs - a workaround of
sorts.  So what is needed now is a way to tell udev that the security hole is
fixed and the "workaround" can be disabled, i.e. the device is safe to be
exposed readonly to unprivileged users.

Thanks,
Wojtek

Re: [PATCH] ptp: Add sysfs attribute to show clock is safe to open RO

[Jakub Kicinski]

On Wed, 14 May 2025 17:36:21 +0300 Wojtek Wasko wrote:
> Recent patches introduced in 6.15 implement permissions checks for PTP
> clocks. Prior to those, a process with readonly access could modify the
> state of PTP devices, in particular the generation and consumption of
> PPS signals.
> 
> Userspace (e.g. udev) managing the ownership and permissions of device
> nodes lacks information as to whether kernel implements the necessary
> security checks and whether it is safe to expose readonly access to
> PTP devices to unprivileged users. Kernel version checks are cumbersome
> and prone to failure, especially if backports are considered [1].
> 
> Add a readonly sysfs attribute to PTP clocks, "ro_safe", backed by a
> static string.

Please CC Greg on v2, maybe we're missing a trick.
Also remember to add a signoff.