Re: [PATCH] scsi: Silence unnecessary warnings about ioctl to partition

From: Paolo Bonzini
Date: Wed May 02 2012 - 08:24:57 EST

Next message: Julia Lawall: "Re: question about fs/jffs2/readinode.c"
Previous message: Laurent Pinchart: "Re: UVCvideo: Failed to resubmit video URB (-27) with Linux 3.3.3"
In reply to: Alan Cox: "Re: [PATCH] scsi: Silence unnecessary warnings about ioctl topartition"
Next in thread: Mark Lord: "Re: [PATCH] scsi: Silence unnecessary warnings about ioctl to partition"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > not inventing anything, the old ATA subsystem is already blocking
> > most
> > "dangerous" ioctls for partitions, even if you have CAP_SYS_RAWIO.
>
> It blocked a few by default to protect hardware. It's a tricky
> tradeoff, which is quite different to this.

I agree it's tricky.

> > Now of course CAP_SYS_RAWIO lets you use ioperm or iopl, but that's
> > a separate issue and only limited to x86.
>
> Ie only 99.99% of the systems running desktop/server Linux OS
> designs.

You can still block those in other ways, seccompv2 could be one.

> > Almost any capability can be abused to bypass checks. True,
> > CAP_SYS_RAWIO is especially good at that, but still you can try.
>
> Why try - you are seeking to arbitarily impose your own worldview on
> the interface (and in doing so break back compatibility). The whole basis
> of the Unix philosophy is that the OS shouldn't try and micromanage the
> priviledged apps because that just leads to crap code.

The whole point of capabilities, SELinux, etc. is micromanaging privileged
apps. Linux has gone beyond the Unix philosophy, it seems.

Besides, privileged apps can and do use capabilities to micromanage
themselves. Sure, ioperm/iopl do mean that a compromised CAP_SYS_RAWIO app
has free reins. However, until that app is compromised, it may like to get
help from the OS in making effective use of access control.

> > > A process with CAP_SYS_RAWIO has total power. It's assumed to
> > > know what it is doing. Trying to block it doing stuff like that simply
> > > makes authors do them via different more crass methods.
> >
> > Getting appropriate permission on device nodes is less crass than
> > abusing partition device nodes.
>
> Given a passed file handle how do you do that securely. Remember that
> open /dev/foo while you have a handle on /dev/foo1 could open a
> different disk if a hotplug has occurred.

What is the exact use case for this, where you wouldn't have gotten an
fd for /dev/foo in the first place? And what command do you want to
send to the disk? The only "valid" case found in the wild was using
SG_IO to send "SYNCHRONIZE CACHE", which is wrong anyway (does not
flush the OS cache). fdatasync could and should have been used instead.

Paolo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Julia Lawall: "Re: question about fs/jffs2/readinode.c"
Previous message: Laurent Pinchart: "Re: UVCvideo: Failed to resubmit video URB (-27) with Linux 3.3.3"
In reply to: Alan Cox: "Re: [PATCH] scsi: Silence unnecessary warnings about ioctl topartition"
Next in thread: Mark Lord: "Re: [PATCH] scsi: Silence unnecessary warnings about ioctl to partition"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]