Re: [PATCH] allow root to modify raw scsi command permissions list

From: Jens Axboe
Date: Wed Sep 15 2004 - 14:53:33 EST

Next message: Andrea Arcangeli: "Re: [PATCH 1/3] Separate IRQ-stacks from 4K-stacks option"
Previous message: Peter Jones: "Re: [PATCH] allow root to modify raw scsi command permissions list"
In reply to: Kai Makisara: "Re: [PATCH] allow root to modify raw scsi command permissions list"
Next in thread: Peter Jones: "Re: [PATCH] allow root to modify raw scsi command permissions list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Sep 15 2004, Kai Makisara wrote:
> On Tue, 14 Sep 2004, Peter Jones wrote:
>
> > diff -urpN linux-2.5-export/drivers/block/Makefile pjones-2.5-export/drivers/block/Makefile
> > --- linux-2.5-export/drivers/block/Makefile 2004-09-10 11:54:01 -04:00
> > +++ pjones-2.5-export/drivers/block/Makefile 2004-09-10 12:11:50 -04:00
> > @@ -13,7 +13,7 @@
> > # kblockd threads
> > #
> [Patch snipped]
>
> Your patch allows updating the filters for each device. This is one aspect
> of the problem. Another problem is that the command filter appropriate for
> CD/DVD writers is _forced on all devices_. In your patch this is in the
> defaults. In the current scsi_ioctl filter it applies to everything.
>
> I have already commented on MODE SELECT. I still think it is dangerous.
> Looking at the command list reveals a couple of other problems:
> - The command GPCMD_READ_DISC_INFO is "safe_for_read". The command 0x51
> has also another use: XPWRITE(10), i.e., a write command. Clearly a
> problem.
> - The "safe_for_read" command GPCMD_REPORT_KEY, 0xa4, has aliases
> CHANGE ALIAS, SET DEVICE IDENTIFIER and SET TARGET PORT.
> - The "safe_for_write" command GPCMD_SEND_DVD_STRUCTURE has alias
> VOLUME SET OUT (raid configuration).
>
> There are other aliases but they return information and don't look too
> dangerous. The command code is only 8 bits and there probably will be more
> aliasing in future.
>
> My conclusion is that the filter _necessary_ for burning CD/DVDs is _not
> safe for all devices_.
>
> How to solve this problem? One idea I had was to add a sysfs-changable
> attribute accessible to the filter (disk or queue) that would have a few
> possible states: allow only root, allow filtered, allow all? The default
> would be to "allow only root". The cdrom registering could set this to
> "allow filtered". This would allow the current behaviour for CD/DVD drives
> but would be safe for others. Other devices could be selectively allowed
> passthrough access if necessary.
>
> This could also be done in your approach. One possibility would be to
> start with empty filter and call from CD/DVD registering a function that
> sets the filter you currently have as default. This would be both flexible
> and safe.

I think that's a really nice idea. I've said right from the beginning
that the command tables cannot even be per-device type, at least with
CDROMs we have examples of commands with different meanings. But at
least with a device-type default list we're a little closer.

A good reminder of why the whole thing is a mess :-)

--
Jens Axboe

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrea Arcangeli: "Re: [PATCH 1/3] Separate IRQ-stacks from 4K-stacks option"
Previous message: Peter Jones: "Re: [PATCH] allow root to modify raw scsi command permissions list"
In reply to: Kai Makisara: "Re: [PATCH] allow root to modify raw scsi command permissions list"
Next in thread: Peter Jones: "Re: [PATCH] allow root to modify raw scsi command permissions list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]