Hello, Paolo. On Thu, Oct 25, 2012 at 02:35:20PM -0400, Paolo Bonzini wrote: > > Disabling filters if opened by root and tranfering via SCM_RIGHTS > > would be the simplest interface-wise (there's no new interface at > > all). Would that be too dangerous security-wise? > > That would be a change with respect to what we have now. After > transferring a root-opened (better: CAP_SYS_RAWIO-opened) file > descriptor to an unprivileged process your SG_IO commands get > filtered. So a ioctl is needed if you want to rely on SCM_RIGHTS.
Yeah, I get that it's a behavior change, but would that be a problem? > > I guess I just feel quite reluctant to expose another rather obscure > > userland configurable in-kernel filter and at the same time I'm not > > sure whether this is flexible enough. What if a device is shared by > > multiple virtual machines which are trusted at different levels? > > No, you just don't do that. If a device is passed through to virtual > machines, it is between similar virtual machines (for some definition > of similar). The only case where you have this sharing is in practice > if either the device is read-only (my patch does give you a basic > two-level filtering, with two separate bitmaps for RO and RW) or if you > allow persistent reservations (which is as close to full trust as you > can get). What disturbs me is that it's a completely new interface to userland and at the same a very limited one at that. So, yeah, it's bothersome. I personally would prefer SCM_RIGHTS behavior change + hard coded filters per device class. But, I'd really like to hear what other guys are thinking. Jens? Jens? Jens? Jens? Jens? Jens? Jens? Jens? Jens? Jens? Jens? Jens? :P Thanks. -- tejun -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
