From: Josh Boyer <jwboyer@gmail.com>
To: Kyle McMartin <kmcmarti@redhat.com>
Cc: Matthew Garrett <matthew.garrett@nebula.com>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org,
kexec@lists.infradead.org, linux-pci@vger.kernel.org
Subject: Re: [PATCH 05/12] PCI: Require CAP_COMPROMISE_KERNEL for PCI BAR access
Date: Thu, 28 Mar 2013 08:46:04 -0400 [thread overview]
Message-ID: <CA+5PVA6zYkjnzgHvso4zwg_PRZ+kssU76Fugc4p5rw3RDnYhpA@mail.gmail.com> (raw)
In-Reply-To: <20130327150807.GC14004@redacted.bos.redhat.com>
On Wed, Mar 27, 2013 at 11:08 AM, Kyle McMartin <kmcmarti@redhat.com> wrote:
> On Wed, Mar 27, 2013 at 11:03:26AM -0400, Josh Boyer wrote:
>> On Mon, Mar 18, 2013 at 5:32 PM, Matthew Garrett
>> <matthew.garrett@nebula.com> wrote:
>> > Any hardware that can potentially generate DMA has to be locked down from
>> > userspace in order to avoid it being possible for an attacker to cause
>> > arbitrary kernel behaviour. Default to paranoid - in future we can
>> > potentially relax this for sufficiently IOMMU-isolated devices.
>> >
>> > Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
>>
>> As noted here:
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=908888
>>
>> this breaks pci passthru with QEMU. The suggestion in the bug is to move
>> the check from read/write to open, but sysfs makes that somewhat
>> difficult. The open code is part of the core sysfs functionality shared
>> with the majority of sysfs files, so adding a check there would restrict
>> things that clearly don't need to be restricted.
>>
>> Kyle had the idea to add a cap field to the attribute structure, and do
>> a capable check if that is set. That would allow for a more generic
>> usage of capabilities in sysfs code, at the cost of slightly increasing
>> the structure size and open path. That seems somewhat promising if we
>> stick with capabilities.
>>
>> I would love to just squarely blame capabilities for causing this, but we
>> can't just replace it with an efi_enabled(EFI_SECURE_BOOT) check because
>> of the sysfs open case. I'm not sure there are great answers here.
>>
>
> Yeah, that was something like this (I don't even remember which Fedora
> kernel version this was against.)
Mostly an FYI for the peanut gallery, but we noticed moving the cap check
to open breaks lspci being run by an unprivileged user. It also doesn't
fix pci passthrough because QEMU opens the PCI resource files by itself
after it's already dropped all caps.
More thinking required.
josh
WARNING: multiple messages have this Message-ID (diff)
From: Josh Boyer <jwboyer@gmail.com>
To: Kyle McMartin <kmcmarti@redhat.com>
Cc: Matthew Garrett <matthew.garrett@nebula.com>,
linux-efi@vger.kernel.org, linux-pci@vger.kernel.org,
kexec@lists.infradead.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH 05/12] PCI: Require CAP_COMPROMISE_KERNEL for PCI BAR access
Date: Thu, 28 Mar 2013 08:46:04 -0400 [thread overview]
Message-ID: <CA+5PVA6zYkjnzgHvso4zwg_PRZ+kssU76Fugc4p5rw3RDnYhpA@mail.gmail.com> (raw)
In-Reply-To: <20130327150807.GC14004@redacted.bos.redhat.com>
On Wed, Mar 27, 2013 at 11:08 AM, Kyle McMartin <kmcmarti@redhat.com> wrote:
> On Wed, Mar 27, 2013 at 11:03:26AM -0400, Josh Boyer wrote:
>> On Mon, Mar 18, 2013 at 5:32 PM, Matthew Garrett
>> <matthew.garrett@nebula.com> wrote:
>> > Any hardware that can potentially generate DMA has to be locked down from
>> > userspace in order to avoid it being possible for an attacker to cause
>> > arbitrary kernel behaviour. Default to paranoid - in future we can
>> > potentially relax this for sufficiently IOMMU-isolated devices.
>> >
>> > Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
>>
>> As noted here:
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=908888
>>
>> this breaks pci passthru with QEMU. The suggestion in the bug is to move
>> the check from read/write to open, but sysfs makes that somewhat
>> difficult. The open code is part of the core sysfs functionality shared
>> with the majority of sysfs files, so adding a check there would restrict
>> things that clearly don't need to be restricted.
>>
>> Kyle had the idea to add a cap field to the attribute structure, and do
>> a capable check if that is set. That would allow for a more generic
>> usage of capabilities in sysfs code, at the cost of slightly increasing
>> the structure size and open path. That seems somewhat promising if we
>> stick with capabilities.
>>
>> I would love to just squarely blame capabilities for causing this, but we
>> can't just replace it with an efi_enabled(EFI_SECURE_BOOT) check because
>> of the sysfs open case. I'm not sure there are great answers here.
>>
>
> Yeah, that was something like this (I don't even remember which Fedora
> kernel version this was against.)
Mostly an FYI for the peanut gallery, but we noticed moving the cap check
to open breaks lspci being run by an unprivileged user. It also doesn't
fix pci passthrough because QEMU opens the PCI resource files by itself
after it's already dropped all caps.
More thinking required.
josh
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2013-03-28 12:46 UTC|newest]
Thread overview: 129+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-18 21:32 [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL Matthew Garrett
2013-03-18 21:32 ` Matthew Garrett
2013-03-18 21:32 ` [PATCH 02/12] SELinux: define mapping for CAP_COMPROMISE_KERNEL Matthew Garrett
2013-03-18 21:32 ` Matthew Garrett
2013-03-18 21:32 ` Matthew Garrett
2013-03-18 21:32 ` [PATCH 03/12] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode Matthew Garrett
2013-03-18 21:32 ` Matthew Garrett
2013-03-18 21:32 ` [PATCH 04/12] efi: Enable secure boot lockdown automatically when enabled in firmware Matthew Garrett
2013-03-18 21:32 ` Matthew Garrett
2013-03-18 21:32 ` Matthew Garrett
2013-03-18 21:32 ` [PATCH 05/12] PCI: Require CAP_COMPROMISE_KERNEL for PCI BAR access Matthew Garrett
2013-03-18 21:32 ` Matthew Garrett
2013-03-27 15:03 ` Josh Boyer
2013-03-27 15:03 ` Josh Boyer
2013-03-27 15:08 ` Kyle McMartin
2013-03-27 15:08 ` Kyle McMartin
2013-03-28 12:46 ` Josh Boyer [this message]
2013-03-28 12:46 ` Josh Boyer
2013-03-18 21:32 ` [PATCH 06/12] x86: Require CAP_COMPROMISE_KERNEL for IO port access Matthew Garrett
2013-03-18 21:32 ` Matthew Garrett
2013-03-20 1:00 ` H. Peter Anvin
2013-03-20 1:00 ` H. Peter Anvin
2013-03-18 21:32 ` [PATCH 07/12] ACPI: Limit access to custom_method Matthew Garrett
2013-03-18 21:32 ` Matthew Garrett
2013-03-18 21:32 ` Matthew Garrett
2013-03-18 21:32 ` [PATCH 08/12] asus-wmi: Restrict debugfs interface Matthew Garrett
2013-03-18 21:32 ` Matthew Garrett
2013-03-18 21:32 ` [PATCH 09/12] Require CAP_COMPROMISE_KERNEL for /dev/mem and /dev/kmem access Matthew Garrett
2013-03-18 21:32 ` Matthew Garrett
2013-03-18 21:32 ` [PATCH 10/12] acpi: Ignore acpi_rsdp kernel parameter in a secure boot environment Matthew Garrett
2013-03-18 21:32 ` Matthew Garrett
2013-03-18 21:32 ` Matthew Garrett
2013-03-19 8:47 ` Dave Young
2013-03-19 8:47 ` Dave Young
2013-03-19 8:47 ` Dave Young
2013-03-19 11:19 ` Josh Boyer
2013-03-19 11:19 ` Josh Boyer
2013-03-19 11:19 ` Josh Boyer
2013-03-19 17:07 ` [PATCH v2] " Josh Boyer
2013-03-19 17:07 ` Josh Boyer
2013-03-18 21:32 ` [PATCH 11/12] x86: Require CAP_COMPROMISE_KERNEL for MSR writing Matthew Garrett
2013-03-18 21:32 ` Matthew Garrett
2013-03-18 21:32 ` Matthew Garrett
2013-03-18 21:32 ` [PATCH 12/12] kexec: Require CAP_SYS_COMPROMISE_KERNEL Matthew Garrett
2013-03-18 21:32 ` Matthew Garrett
2013-03-18 21:32 ` Matthew Garrett
2013-03-19 4:47 ` [PATCH 01/12] Security: Add CAP_COMPROMISE_KERNEL James Morris
2013-03-19 4:47 ` James Morris
2013-03-19 4:47 ` James Morris
2013-03-20 1:03 ` H. Peter Anvin
2013-03-20 1:03 ` H. Peter Anvin
2013-03-20 16:41 ` Mimi Zohar
2013-03-20 16:41 ` Mimi Zohar
2013-03-20 16:49 ` Matthew Garrett
2013-03-20 16:49 ` Matthew Garrett
2013-03-20 16:49 ` Matthew Garrett
2013-03-20 16:49 ` Matthew Garrett
2013-03-20 18:01 ` Mimi Zohar
2013-03-20 18:01 ` Mimi Zohar
2013-03-20 18:01 ` Mimi Zohar
2013-03-20 18:12 ` Matthew Garrett
2013-03-20 18:12 ` Matthew Garrett
2013-03-20 18:12 ` Matthew Garrett
2013-03-20 18:12 ` Matthew Garrett
2013-03-20 19:16 ` Mimi Zohar
2013-03-20 19:16 ` Mimi Zohar
2013-03-20 19:16 ` Mimi Zohar
2013-03-20 19:16 ` Mimi Zohar
2013-03-20 20:37 ` Matthew Garrett
2013-03-20 20:37 ` Matthew Garrett
2013-03-20 20:37 ` Matthew Garrett
2013-03-20 20:37 ` Matthew Garrett
2013-03-20 21:11 ` Mimi Zohar
2013-03-20 21:11 ` Mimi Zohar
2013-03-20 21:11 ` Mimi Zohar
2013-03-20 21:18 ` Matthew Garrett
2013-03-20 21:18 ` Matthew Garrett
2013-03-20 21:18 ` Matthew Garrett
2013-03-20 21:18 ` Matthew Garrett
2013-03-21 13:43 ` Vivek Goyal
2013-03-21 13:43 ` Vivek Goyal
2013-03-21 13:43 ` Vivek Goyal
2013-03-21 13:43 ` Vivek Goyal
2013-03-21 15:37 ` Serge E. Hallyn
2013-03-21 15:37 ` Serge E. Hallyn
2013-03-21 15:37 ` Serge E. Hallyn
2013-03-21 15:37 ` Serge E. Hallyn
2013-03-21 15:52 ` Vivek Goyal
2013-03-21 15:52 ` Vivek Goyal
2013-03-21 15:52 ` Vivek Goyal
2013-03-21 15:52 ` Vivek Goyal
2013-03-21 15:58 ` Serge E. Hallyn
2013-03-21 15:58 ` Serge E. Hallyn
2013-03-21 15:58 ` Serge E. Hallyn
2013-03-21 15:58 ` Serge E. Hallyn
2013-03-21 16:04 ` Vivek Goyal
2013-03-21 16:04 ` Vivek Goyal
2013-03-21 16:04 ` Vivek Goyal
2013-03-21 16:19 ` Serge E. Hallyn
2013-03-21 16:19 ` Serge E. Hallyn
2013-03-21 16:19 ` Serge E. Hallyn
2013-03-21 16:19 ` Serge E. Hallyn
2013-03-21 17:15 ` Vivek Goyal
2013-03-21 17:15 ` Vivek Goyal
2013-03-21 17:15 ` Vivek Goyal
2013-03-21 17:15 ` Vivek Goyal
2013-03-21 1:58 ` James Morris
2013-03-21 1:58 ` James Morris
2013-03-19 7:18 ` Yves-Alexis Perez
2013-03-19 7:18 ` Yves-Alexis Perez
2013-03-20 1:02 ` H. Peter Anvin
2013-03-20 1:02 ` H. Peter Anvin
2013-03-20 1:05 ` H. Peter Anvin
2013-03-20 1:05 ` H. Peter Anvin
2013-03-20 13:15 ` Matthew Garrett
2013-03-20 13:15 ` Matthew Garrett
2013-03-20 13:15 ` Matthew Garrett
2013-03-20 13:15 ` Matthew Garrett
2013-03-20 15:03 ` H. Peter Anvin
2013-03-20 15:03 ` H. Peter Anvin
2013-03-20 15:03 ` H. Peter Anvin
2013-03-20 15:03 ` H. Peter Anvin
2013-03-20 15:14 ` Matthew Garrett
2013-03-20 15:14 ` Matthew Garrett
2013-03-20 15:14 ` Matthew Garrett
2013-03-20 15:14 ` Matthew Garrett
2013-03-20 16:45 ` H. Peter Anvin
2013-03-20 16:45 ` H. Peter Anvin
2013-03-20 16:45 ` H. Peter Anvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+5PVA6zYkjnzgHvso4zwg_PRZ+kssU76Fugc4p5rw3RDnYhpA@mail.gmail.com \
--to=jwboyer@gmail.com \
--cc=kexec@lists.infradead.org \
--cc=kmcmarti@redhat.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthew.garrett@nebula.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.