From: Paolo Bonzini <pbonzini@redhat.com>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Jens Axboe <axboe@kernel.dk>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [PATCH] block: avoid false positive warnings on ioctl to partition
Date: Mon, 13 Feb 2012 18:45:25 +0100 [thread overview]
Message-ID: <4F394C35.1020908@redhat.com> (raw)
In-Reply-To: <20120213172527.40ac390b@pyramind.ukuu.org.uk>
On 02/13/2012 06:25 PM, Alan Cox wrote:
> Firstly blocking CAP_SYS_RAWIO access by any means to a partition is
> itself nonsense as the process has enough privilege to go poke the
> controller I/O registers by hand.
What if a process has dropped all capabilities except CAP_SYS_RAWIO, and
has permission to access to /dev/sdb1 and /dev/sda? If ioctls are
protected correctly, it will not be able to poke the I/O registers for
/dev/sdb. That's pretty much the point of this.
> Secondly SG_IO allows users to read and write blocks outside their partition as
> far as I can see from the verify logic.
Sure, I do not do any attempt to block anything for CAP_SYS_RAWIO,
including reads/writes outside partitions. As far as I undertsood Linus
agreed to block SG_IO completely, except with a grace period during
which CAP_SYS_RAWIO will still be able to use SG_IO arbitrarily. During
this time they'll get warnings but no change in SG_IO behavior.
> What were the SG_IO command blocks that were caught ? It's going to be
> pretty trivial to add a filter->partition_ok to some of them if need be.
INQUIRY and SYNCHRONIZE CACHE. We certainly do not want to break the
former right away; but given that the cause was a mistake in udev
configuration, we can expect people to fix their rule files in 2012.
But the latter was pointless because they should have just typed
"apropos synchronize" and used fdatasync.
Sure, we can add something like filter->partition_ok and erect a
security vulnerability to the status of feature. It doesn't mean that's
the right thing to do.
> Anyway it fails both by stopping valid stuff and not stopping insecure and
> unsafe stuff.
It is not "valid", it's at best "not harmful".
Paolo
prev parent reply other threads:[~2012-02-13 17:45 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-13 17:13 [PATCH] block: avoid false positive warnings on ioctl to partition Paolo Bonzini
2012-02-13 17:25 ` Alan Cox
2012-02-13 17:45 ` Paolo Bonzini [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F394C35.1020908@redhat.com \
--to=pbonzini@redhat.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=axboe@kernel.dk \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).