On Fri, 02 Nov 2012 15:49:02 +0100 Paolo Bonzini <pbonz...@redhat.com> wrote:
> Il 31/10/2012 22:22, Tejun Heo ha scritto: > > Hello, Paolo. > > > > On Thu, Oct 25, 2012 at 02:35:20PM -0400, Paolo Bonzini wrote: > >>> Disabling filters if opened by root and tranfering via SCM_RIGHTS > >>> would be the simplest interface-wise (there's no new interface at > >>> all). Would that be too dangerous security-wise? > >> > >> That would be a change with respect to what we have now. After > >> transferring a root-opened (better: CAP_SYS_RAWIO-opened) file > >> descriptor to an unprivileged process your SG_IO commands get > >> filtered. So a ioctl is needed if you want to rely on SCM_RIGHTS. > > > > Yeah, I get that it's a behavior change, but would that be a problem? > > Worse, it's a potential security hole because previously you'd get > filtering and now you wouldn't. > > Considering that SCM_RIGHTS is usually used to transfer a file > descriptor from a privileged process to an unprivileged one, I'd be very > worried of that. In other contexts you inherit file handles via exec and having a "root opened so its special" model is bad. Historically it led to things like the rlogin/rsh hacks on SunOS and friends where a program run by the rsh daemon got a root opened socket as its stdin/out and could issue ifconfig ioctls on it at will. Not a good model. Any removal of filters and passing them to a task should be explicit. The behaviour really ought to be to permit the intentional setting of explicit filters then passing them, not touch the default behaviour. Alan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/