Re: [PATCH] allow root to modify raw scsi command permissions list

From: Kai Makisara
Date: Wed Sep 15 2004 - 14:16:38 EST

Next message: Robin Holt: "[PATCH 0/2] Fix some return value truncation problems on file writes."
Previous message: Daniel Andersen: "[PATCH] - Spell fixes - adress to address"
In reply to: Peter Jones: "Re: [PATCH] allow root to modify raw scsi command permissions list"
Next in thread: Peter Jones: "Re: [PATCH] allow root to modify raw scsi command permissions list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 14 Sep 2004, Peter Jones wrote:

> diff -urpN linux-2.5-export/drivers/block/Makefile pjones-2.5-export/drivers/block/Makefile
> --- linux-2.5-export/drivers/block/Makefile 2004-09-10 11:54:01 -04:00
> +++ pjones-2.5-export/drivers/block/Makefile 2004-09-10 12:11:50 -04:00
> @@ -13,7 +13,7 @@
> # kblockd threads
> #
[Patch snipped]

Your patch allows updating the filters for each device. This is one aspect
of the problem. Another problem is that the command filter appropriate for
CD/DVD writers is _forced on all devices_. In your patch this is in the
defaults. In the current scsi_ioctl filter it applies to everything.

I have already commented on MODE SELECT. I still think it is dangerous.
Looking at the command list reveals a couple of other problems:
- The command GPCMD_READ_DISC_INFO is "safe_for_read". The command 0x51
has also another use: XPWRITE(10), i.e., a write command. Clearly a
problem.
- The "safe_for_read" command GPCMD_REPORT_KEY, 0xa4, has aliases
CHANGE ALIAS, SET DEVICE IDENTIFIER and SET TARGET PORT.
- The "safe_for_write" command GPCMD_SEND_DVD_STRUCTURE has alias
VOLUME SET OUT (raid configuration).

There are other aliases but they return information and don't look too
dangerous. The command code is only 8 bits and there probably will be more
aliasing in future.

My conclusion is that the filter _necessary_ for burning CD/DVDs is _not
safe for all devices_.

How to solve this problem? One idea I had was to add a sysfs-changable
attribute accessible to the filter (disk or queue) that would have a few
possible states: allow only root, allow filtered, allow all? The default
would be to "allow only root". The cdrom registering could set this to
"allow filtered". This would allow the current behaviour for CD/DVD drives
but would be safe for others. Other devices could be selectively allowed
passthrough access if necessary.

This could also be done in your approach. One possibility would be to
start with empty filter and call from CD/DVD registering a function that
sets the filter you currently have as default. This would be both flexible
and safe.

Opinions?

--
Kai
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Robin Holt: "[PATCH 0/2] Fix some return value truncation problems on file writes."
Previous message: Daniel Andersen: "[PATCH] - Spell fixes - adress to address"
In reply to: Peter Jones: "Re: [PATCH] allow root to modify raw scsi command permissions list"
Next in thread: Peter Jones: "Re: [PATCH] allow root to modify raw scsi command permissions list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]