[RFC] New security model for scsi_cmd_ioctl

[Andreas Messer]

On Wed, Aug 18, 2004 at 11:09:44AM +0200, Frank Steiner wrote:

> Does it, by the way, make any sense that I report this here? Or will the
> security model have to be desgined first like you discussed it, before
> such tests are helpful? Just to avoid that I flood you with a list of
> blocked commands when you can't make any use of it now :-)

I don't know. The problem, is that the model has completely redesigned to
improve security, as some commands for mmc-drives are necessary 
(like FORMAT) and destructive on harddiscs. Marc and i think, that there 
should be a additional parameter for verify_command, which specifies the 
device class. 
The problem is, that there is now way to detect the device class within the 
functions sg_io and sg_scsi_ioctl or even scsi_cmd_ioctl (which calles the
other functions). So the parameter has to be given to scsi_cmd_ioctl. This
function is called within the kernel from cdrom.c, sd.c, st.c and ide.c but
i'm not sure, if there are another ways to call this function. (i'm not so
familar with the kernel source) If so, there may be no save way to hand 
over the device class. 
Then we need a new acl, based on device class and command. This list seems
to be very large - who maintains it? Perhaps it would be better to have
a linked list with some default values, which may be changed from 
userspace (like iptables). Another problem might be the SCSI sub-commands. 
I'm not sure, if they have to be checked too.

 
Andreas
-- 
gnuPG keyid: 0xE94F63B7 
fingerprint: D189 D5E3 FF4B 7E24 E49D 7638 07C5 924C E94F 63B7
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/