Re: SG_IO and security

[Linus Torvalds]

On Thu, 12 Aug 2004, Alan Cox wrote:
> > > 
> > > Hmm.. This still allows the old "junk" commands (SCSI_IOCTL_SEND_COMMAND).
> 
> That uses sg_io() so gets caught as well unless I screwed up following
> the code paths.

No, while the cdrom_ioctl thing does use sg_io, the really old and 
horrible sg_scsi_ioctl thing does it's own commands by hand.

I don't know why. I get the feeling that it _should_ use sg_io().

> With the current code I can destroy all your hard disks given read
> access to the drive.

Oh, I clearly agree with you that something had to be done. Which is why I 
did an extended version of your patch already.

> Do we
> 
> a) Have code that essentially says "if read on base device can do ....,
> if write can do ... , else capable(...)"
> 
> b) ioctls/other command functionality for the stuff users should be
> allowed to do. 
> 
> Option (a) means parsing command blocks which are pretty regular and
> parseable. 

Yes. I think we should do:
 - harmless read-only commands that we know, we allow for read opens
 - harmless write-only commands that we know, we allow for write opens
 - commands we don't know, or commands that aren't harmless, we require 
   RAWIO-capability for.

That seems fairly trivial to implement, and is clearly the user-friendly 
thing to do. The quick patch is just too damn unfriendly.

		Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/