Hey, Paolo. On Fri, Nov 02, 2012 at 03:49:02PM +0100, Paolo Bonzini wrote: > > Yeah, I get that it's a behavior change, but would that be a problem? > > Worse, it's a potential security hole because previously you'd get > filtering and now you wouldn't. > > Considering that SCM_RIGHTS is usually used to transfer a file > descriptor from a privileged process to an unprivileged one, I'd be very > worried of that.
Yeah, I know it's a security thing, was wondering how bad it was. So, if we choose this, I guess we'll need an ioctl to switch userland SG_IO filtering. > > What disturbs me is that it's a completely new interface to userland > > and at the same a very limited one at that. So, yeah, it's > > bothersome. I personally would prefer SCM_RIGHTS behavior change + > > hard coded filters per device class. > > I think hard-coded filters are bad (I prefer to move policy to > userspace), and SCM_RIGHTS without a ioctl is out of question, really. No rule is really absolute. To me, it seems the suggested in-kernel per-device command code filter is both too big for the given problem while being too limited for much beyond that. So, if we can get away with adding an ioctl, I personally think that would be a better approach. Thanks. -- tejun -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
