On 8/12/19 2:46 PM, James Bottomley wrote: > > So far we've mitigated the security threat by withdrawing the v4 > r/w interface which you don't use and keeping the sg nodes root only > for v3 r/w. Unless we get another security incident based on them, as > long as the use case doesn't expand, I think the prior issue is pretty > nasty but contained to root who should know what they're doing, so > there's no pressing need to remove it.
So if there is no plan to remove read/write from sg v3 for root, then I don't see a need for the new ioctl()s to replace them. > Given that shifting to ioctls or a different async interface would be > development anyway, is there a solid reason you couldn't also shift to > v4 if you do that? I know all the field names changed but for a > standard SCSI command it should be very similar to v3. > > I suppose we could move our codebase to sg v4 eventually. Right now we don't need any new features from it, so there is no compelling case to make the move. Besides, we are pretty far behind in the kernel version that we are shipping due to lack of developer time, so it may be a long time before I can update to a kernel version with these patches anyway. Tony Battersby Cybernetics
