Ping? Paolo
Il 25/10/2012 20:35, Paolo Bonzini ha scritto: >> On Thu, Oct 25, 2012 at 09:37:39AM +0200, Paolo Bonzini wrote: >>> Il 24/10/2012 18:47, Tejun Heo ha scritto: >>>> So, I'm still not convinced we need to go forward with full >>>> configurability. All use cases you described can be covered with >>>> per-class static filters + simple override switch to disable all, >>>> which would result in a lot simpler implementation w/ much >>>> smaller userland interface. >>> >>> I'm not sure the userland interface would be smaller, and it would >>> be more complex to get right: >>> >>> 1) how do you override the default? ioctl+SCM_RIGHTS or sysfs? >> >> Disabling filters if opened by root and tranfering via SCM_RIGHTS >> would be the simplest interface-wise (there's no new interface at >> all). Would that be too dangerous security-wise? > > That would be a change with respect to what we have now. After > transferring a root-opened (better: CAP_SYS_RAWIO-opened) file > descriptor to an unprivileged process your SG_IO commands get > filtered. So a ioctl is needed if you want to rely on SCM_RIGHTS. > >>> 2) do you need to override the default to "no access", "full >>> access" and "default access", or is a binary knob (default >>> access/full access) sufficient? >> >> Default / full should be enough, no? > > If a ioctl has to be added, I'd rather have at least none/full/default. > >>> 3) what capabilities control the setting? >> >> CAP_SYS_RAWIO seems to be a pretty good fit. > > Yes, for a ioctl it is (for sysfs CAP_SYS_ADMIN is better IMHO). > >> I guess I just feel quite reluctant to expose another rather obscure >> userland configurable in-kernel filter and at the same time I'm not >> sure whether this is flexible enough. What if a device is shared by >> multiple virtual machines which are trusted at different levels? > > No, you just don't do that. If a device is passed through to virtual > machines, it is between similar virtual machines (for some definition > of similar). The only case where you have this sharing is in practice > if either the device is read-only (my patch does give you a basic > two-level filtering, with two separate bitmaps for RO and RW) or if you > allow persistent reservations (which is as close to full trust as you > can get). > >> I'm not trying to block it at all cost but let's make sure we looked >> into most possibilities before (re)adding this userland visible >> interface. > > Sure, understood. :) > >> Jens, James, what do you guys think? > > Paolo > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
