Re: [PATCH 2/2] pci: use security_capable() when checking capablitiesduring config space read

From: James Morris
Date: Thu Feb 10 2011 - 03:23:48 EST


On Wed, 9 Feb 2011, Chris Wright wrote:

> Eric Paris noted that commit de139a3 ("pci: check caps from sysfs file
> open to read device dependent config space") caused the capability check
> to bypass security modules and potentially auditing. Rectify this by
> calling security_capable() when checking the open file's capabilities
> for config space reads.

What about these other users of cap_raised?

drivers/block/drbd/drbd_nl.c: if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN)) {
drivers/md/dm-log-userspace-transfer.c: if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))
drivers/staging/pohmelfs/config.c: if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))
drivers/video/uvesafb.c: if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))


Also, should this have a reported-by for Eric ?

--
James Morris
<jmorris@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/