Re: [PATCH 2/2 v2] pci: use security_capable() when checkingcapablities during config space read

From: Jesse Barnes
Date: Fri Mar 04 2011 - 13:25:36 EST

Next message: Dan Carpenter: "Re: [PATCH 1/1] x86: Fix mcheck_init_device() to handlemisc_register() correctly"
Previous message: Tejun Heo: "Re: [PATCH v2.6.38-rc5 2/2] block: blk-flush shouldn't calldirectly into q->request_fn() __blk_run_queue()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 10 Feb 2011 15:58:56 -0800
Chris Wright <chrisw@xxxxxxxxxxxx> wrote:

> * James Morris (jmorris@xxxxxxxxx) wrote:
> > What about these other users of cap_raised?
> >
> > drivers/block/drbd/drbd_nl.c: if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN)) {
> > drivers/md/dm-log-userspace-transfer.c: if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))
> > drivers/staging/pohmelfs/config.c: if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))
> > drivers/video/uvesafb.c: if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN))
>
> Those are a security_netlink_recv() variant. They should be converted
> although makes sense as a different patchset.
>
> > Also, should this have a reported-by for Eric ?
>
> Yes it should, thanks. Below is patch with Reported-by added (seemed
> overkill to respin the series; holler if that's perferred).
>
> thanks,
> -chris
> ---
>
> From: Chris Wright <chrisw@xxxxxxxxxxxx>
> Subject: [PATCH 2/2 v2] pci: use security_capable() when checking capablities during config space read
>
> Eric Paris noted that commit de139a3 ("pci: check caps from sysfs file
> open to read device dependent config space") caused the capability check
> to bypass security modules and potentially auditing. Rectify this by
> calling security_capable() when checking the open file's capabilities
> for config space reads.
>
> Reported-by: Eric Paris <eparis@xxxxxxxxxx>
> Cc: Eric Paris <eparis@xxxxxxxxxx>
> Cc: Greg Kroah-Hartman <gregkh@xxxxxxx>
> Cc: Jesse Barnes <jbarnes@xxxxxxxxxxxxxxxx>
> Cc: Alan Cox <alan@xxxxxxxxxxxxxxxxxxx>
> Cc: linux-pci@xxxxxxxxxxxxxxx
> Signed-off-by: Chris Wright <chrisw@xxxxxxxxxxxx>
> ---
> drivers/pci/pci-sysfs.c | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)

Sorry for the late reply, but this is fine with me. Should probably
just get pushed along with the change to security_capable (assuming
that hasn't been done already).

Acked-by: Jesse Barnes <jbarnes@xxxxxxxxxxxxxxxx>

--
Jesse Barnes, Intel Open Source Technology Center
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dan Carpenter: "Re: [PATCH 1/1] x86: Fix mcheck_init_device() to handlemisc_register() correctly"
Previous message: Tejun Heo: "Re: [PATCH v2.6.38-rc5 2/2] block: blk-flush shouldn't calldirectly into q->request_fn() __blk_run_queue()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]