linux-pci.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg KH <gregkh@linuxfoundation.org>
To: Allen <allen.lkml@gmail.com>
Cc: linux-pci@vger.kernel.org, bhelgaas@google.com, ast@kernel.org,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Allen Pais <apais@linux.microsoft.com>,
	Allen Pais <allen.pais@lkml.com>
Subject: Re: [RFC] PCI: allow sysfs file owner to read the config space with CAP_SYS_RAWIO
Date: Mon, 19 Oct 2020 15:16:13 +0200	[thread overview]
Message-ID: <20201019131613.GA3254417@kroah.com> (raw)
In-Reply-To: <CAOMdWSJDJ-uXpis1WbG3LnOG7bMiif5Q4Maafv_a=55Y_qypfQ@mail.gmail.com>

On Mon, Oct 19, 2020 at 06:30:16PM +0530, Allen wrote:
> > >
> > >  Access to pci config space is explictly checked with CAP_SYS_ADMIN
> > > in order to read configuration space past the frist 64B.
> > >
> > >  Since the path is only for reading, could we use CAP_SYS_RAWIO?
> >
> > Why?  What needs this reduced capability?
> 
> Thanks for the review.
> 
> We need read access to /sys/bus/pci/devices/,  We need write access to config,
> remove, rescan & enable files under the device directory for each PCIe
> functions & the downstream PCIe port.
> 
> We need r/w access to sysfs to unbind and rebind the root complex.

That didn't answer my question at all.

Why can't you have the process that wants to do all of the above, have
admin rights as well?  Doing all of that is _very_ low-level and can
cause all sorts of horrible things to happen to your machine, and is not
really "raw io" in the traditional sense at all, right?

greg k-h

  reply	other threads:[~2020-10-19 13:15 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-16  5:52 [RFC] PCI: allow sysfs file owner to read the config space with CAP_SYS_RAWIO Allen Pais
2020-10-16  6:20 ` Greg KH
2020-10-19 13:00   ` Allen
2020-10-19 13:16     ` Greg KH [this message]
2020-10-19 13:21       ` Allen
2020-10-19 13:47         ` Greg KH
2020-10-19 14:32           ` Allen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201019131613.GA3254417@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=allen.lkml@gmail.com \
    --cc=allen.pais@lkml.com \
    --cc=apais@linux.microsoft.com \
    --cc=ast@kernel.org \
    --cc=bhelgaas@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-pci@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).