Re: [RFC PATCH] sysfs: bin_attr permission checking

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Chris Wright

Subject: Re: [RFC PATCH] sysfs: bin_attr permission checking

Date: Wednesday, May 12, 2010 - 12:44 pm

* Greg KH (greg@kroah.com) wrote:
quoted text> On Wed, May 12, 2010 at 12:28:28PM -0700, Chris Wright wrote:
> > * Greg KH (greg@kroah.com) wrote:
> > > On Wed, May 12, 2010 at 11:47:13AM -0700, Chris Wright wrote:
> > > > The PCI config space bin_attr read handler has a hardcoded CAP_SYS_ADMIN
> > > > check to verify privileges before allowing a user to read device
> > > > dependent config space.  This is meant to protect from an unprivileged
> > > > user potentially locking up the box.
> > > > 
> > > > When assigning a PCI device directly to a guest with libvirt and KVM, the 
> > > > sysfs config space file is chown'd to the user that the KVM guest will
> > > > run as.  The guest needs to have full access to the device's config
> > > > space since it's responsible for driving the device.  However, despite
> > > > being the owner of the sysfs file, the CAP_SYS_ADMIN check will not
> > > > allow read access beyond the config header.
> > > > 
> > > > This patch adds a new bin_attr->read_file() callback which adds a struct
> > > > file to the normal argument list.  This allows an implementation such as
> > > > PCI config space bin_attr read_file handler to check both inode
> > > > permission as well as privileges to determine whether to allow
> > > > privileged actions through the handler.
> > > 
> > > Ick, this is all because we like showing different information if the
> > > user is "privileged or not" :(
> > 
> > yup
> > 
> > > Turns out, that this probably isn't the best user api to implement,
> > > remind me never to do that again...
> > 
> > Yeah, it's challenging to deal with.  Alternative here is a new config
> > sysfs entry that doesn't have this 'feature'.  (I looked into trying to
> > allow manageing the internal capable() check externally, not so pretty).
> 
> That would require people to update libpci and maybe their scripts as
> well, which wouldn't be as good.

Not necessarily.  We'd end up with

  /config <-- legacy w/ CAP_SYS_AMDIN check)
  /config_not_f'd_up <-- new one w/out CAP_SYS_ADMIN, default to 0600 root:root

quoted text> > > > This is just RFC, although I've tested that it does allow the chown +
> > > > read to work as expected.  Any other ideas of how to handle this are
> > > > welcome.
> > > 
> > > Can we just pass in the 'file' for all users of the bin files instead of
> > > the dentry? 
> > 
> > The dentry doesn't currently go beyond sysfs/bin.c.  So, yes, I pushed
> > 'file' through to last level in bin.c before ->read(), and can certinaly
> > just push through to ->read() as well.
> 
> That would be better than having a 'read_file' callback, right?

I think so.

quoted text> > >  You can always get the dentry from the file (as your patch
> > > showes), and there isn't that many users of this interface.  I'd really
> > > rather not have two different types of callbacks here.
> > 
> > Absolutely, this is just RFC (i.e. quicker to compile and test).  What
> > about write()?
> 
> Sure, might as well make it symmetrical :)

:-)

I'll update, split sysfs from pci and resend shortly.

thanks,
chris
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[RFC PATCH] sysfs: bin_attr permission checking, Chris Wright, (Wed May 12, 11:47 am)

Re: [RFC PATCH] sysfs: bin_attr permission checking, Greg KH, (Wed May 12, 12:13 pm)

Re: [RFC PATCH] sysfs: bin_attr permission checking, Chris Wright, (Wed May 12, 12:28 pm)

Re: [RFC PATCH] sysfs: bin_attr permission checking, Greg KH, (Wed May 12, 12:39 pm)

Re: [RFC PATCH] sysfs: bin_attr permission checking, Chris Wright, (Wed May 12, 12:44 pm)

Navigation

Popular discussions


linux-kernel:
Ken Chen	[patch] sched: fix inconsistency when redistribute per-cpu tg->cfs_rq shares.
Ingo Molnar	Re: [PATCH v3] x86: merge the simple bitops and move them to bitops.h
Jan Engelhardt	Re: [PATCH] Allow Kconfig to set default mmap_min_addr protection
Dmitry Torokhov	Re: [2.6 patch] input/serio/hp_sdc.c section fix
Rafael J. Wysocki	[Bug #16380] Loop devices act strangely in 2.6.35
git:
Steven Grimm	Using git as a general backup mechanism (was Re: Using GIT to store /etc)
Jeff King	Re: [PATCH] git-reset: allow --soft in a bare repo
Johannes Sixt	Re: [PATCH 01/14] msvc: Fix compilation errors in compat/win32/sys/poll.c
Johannes Schindelin	Re: [PATCH] Uninstall rule for top level Makefile
Shawn O. Pearce	Re: [PATCH v2] Speed up bash completion loading
git-commits-head:
Linux Kernel Mailing List	cgroups: clean up cgroup_pidlist_find() a bit
Linux Kernel Mailing List	sony-laptop: Add support for extended hotkeys
Linux Kernel Mailing List	IB/core: Add support for masked atomic operations
Linux Kernel Mailing List	V4L/DVB (8939): cx18: fix sparse warnings
Linux Kernel Mailing List	ipv6 mcast: Check address family of gf_group in getsockopt(MS_FILTER).
linux-netdev:
Inaky Perez-Gonzalez	[PATCH 40/40] wimax/i2400m: add CREDITS and MAINTAINERS entries
Karsten Keil	[mISDN PATCH v2 05/19] Reduce stack size in dsp_cmx_send()
linux	Re: 2.6.23-rc8 network problem. Mem leak? ip1000a?
David Miller	Re: tun: Use netif_receive_skb instead of netif_rx
David Miller	Re: [net-next PATCH v2] llc enhancements
freebsd-current:
Matthew Fleming	Re: [RFC] Outline of USB process integration in the kernel taskqueue system
illoai@gmail.com	Re: OT: 2d password
Hartmut Brandt	Re: problem with nss_ldap
Andrew Reilly	Re: FreeBSD's problems as seen by the BSDForen.de community
Max Laier	Re: Upcoming ABI Breakage in RELENG_7

Colocation donated by:

Syndicate