Received: by 2002:a05:6a10:144:0:0:0:0 with SMTP id 4csp1467762pxw; Sun, 10 Apr 2022 03:22:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxWU6SySjXn7VqEmBBkhbed2CJpBYmLqjsOh6MBg9apmllfsrFuE8c/65YJ2uMgwUpTzlLd X-Received: by 2002:a17:906:dc89:b0:6e8:73e0:ef9a with SMTP id cs9-20020a170906dc8900b006e873e0ef9amr4841971ejc.638.1649586126262; Sun, 10 Apr 2022 03:22:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649586126; cv=none; d=google.com; s=arc-20160816; b=0sgpHuGf4xigOwni0Lv/AaNqfr7PtYggZnZCvlV5ud3AUuIyWTHcerEClxCn/1u3iH mCCNvpnn5qNkuDyqedbfeBI+eez813Fl/vALNXI2D0d+H0YVCEAD6XbqmyDABHGwUIUN 1v9ZeHrVQedMHrgk8XaP7o+R4ZaZZFsbxsqGSdVmL5C1TdjVhxY5i8SB8D00pD2w3J7m tySct8qtsQ7+kR2oa0P1UTdZ0+FCckhXW1iu4wLqMIt2rBJQYnL8MTE9A7Vcb0XBq2Ga sKsvFJ6XW7ZMmxT7nbe9zzpnF4E0rHdyYkr1SXyAw6hjiF7vaIKwsCenmcXkFCkkG5CB FJ2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:references:in-reply-to:user-agent:subject:cc:to:from :date:dkim-signature; bh=EECD+Me6/Huy4Qn5FMgGm7o7wAzxnDwetNqFWGOrV6A=; b=AKyHhBKm7BGsVjuK2e7kw1+dXpEDKoGJ8A0ENpR+k0RSWQW5/XzZYgKfuR5xj6t8wd vh1D6mVNCFTtzFdr1IwKHPctkitBwr0z7QBRln7UgrF3UKs3LXnzpK54pXEDVZDbKiMX 3x2Ew+XldyNi2+KBvkMd3TQLgE8jEK5/URmnivfAN+CIREhb/AgFi7LPTszh5cP6lnUc g2uLFW5TDJKKW3pVXICaTCPn/C+ZZn9JQSukNFp9rw0Ag4iVt8LFOlby5nR3T0YdvFNF erevPizJ4qKH8g4Tk9hUul0X4q/9+uPMtS59P/MYquPQm/RYYD/R4wTwDq/9LE96RuTa /7oQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=YggnnolW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q17-20020a50aa91000000b00418c2b5be70si4207393edc.338.2022.04.10.03.21.40; Sun, 10 Apr 2022 03:22:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=YggnnolW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237843AbiDHPwh (ORCPT + 99 others); Fri, 8 Apr 2022 11:52:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34576 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237830AbiDHPwb (ORCPT ); Fri, 8 Apr 2022 11:52:31 -0400 Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 498E1C6240 for ; Fri, 8 Apr 2022 08:50:27 -0700 (PDT) Received: by mail-pl1-x632.google.com with SMTP id c23so8266620plo.0 for ; Fri, 08 Apr 2022 08:50:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:user-agent:in-reply-to:references :message-id:mime-version:content-transfer-encoding; bh=EECD+Me6/Huy4Qn5FMgGm7o7wAzxnDwetNqFWGOrV6A=; b=YggnnolWi023lk90yBu/tFpzYvuhEO/YiTkjlD9l4jo765VdHRvWKIacsDBzBUaJ9d eXV+ZcPxibevfcNrhnLQ7L6fjUF/T2X//YlikBzwBWWvu6cZvjuy3j6Y/XPIS3EMf8ps pY1P7KCJosQfOnLhrHVIVZZwlu027/mdUPdFQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:user-agent:in-reply-to :references:message-id:mime-version:content-transfer-encoding; bh=EECD+Me6/Huy4Qn5FMgGm7o7wAzxnDwetNqFWGOrV6A=; b=dU/6UCeXRkRnQ1JO/S6c9eklsiaD2rF0Awfev6A+7t5HXwCoKOpyyF7qVDYYH6Umb7 H/Gk5imT5fBfoAhDnA4B4owg02jg7XiQuEPgQI+PAb7JUssaCTaDVX/XuCW/uFEJ00R/ Fd8qa0c0Wuyqa9uznuieYrJ/d/khTr6JB7asKInsh85bBGR9DB5C280yblHGYexDJIgn i7sKJ25DMR0ZqRBPsvZOTkWplOy8fcel4S5AC5nWZEDQfMr7B2b/korWGhHc5QCcM6dX yOavwq253p/1VS2m41YhX1zavkRKjptrwtCGlsMW6iOzHBcAq5k4q3EfzswwUBGDSADc 3r1A== X-Gm-Message-State: AOAM531QE7oykv72U11oFqVe8dl43aFUJGtTnG6nBUm77h3QErL6bhFX a/PwOVseqQNwKxOdTeirsRdikw== X-Received: by 2002:a17:90b:4d87:b0:1c9:7f58:e5ca with SMTP id oj7-20020a17090b4d8700b001c97f58e5camr21963191pjb.154.1649433026723; Fri, 08 Apr 2022 08:50:26 -0700 (PDT) Received: from [127.0.0.1] (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id k137-20020a633d8f000000b0039800918b00sm22115695pga.77.2022.04.08.08.50.26 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 08 Apr 2022 08:50:26 -0700 (PDT) Date: Fri, 08 Apr 2022 08:50:24 -0700 From: Kees Cook To: Bjorn Helgaas , David Stevens CC: linux-pci@vger.kernel.org, Bjorn Helgaas , Greg Kroah-Hartman , linux-kernel@vger.kernel.org Subject: Re: [RFC] PCI: sysfs: add bypass for config read admin check User-Agent: K-9 Mail for Android In-Reply-To: <20220406111751.GA132418@bhelgaas> References: <20220406111751.GA132418@bhelgaas> Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On April 6, 2022 4:17:51 AM PDT, Bjorn Helgaas wrot= e: >[+cc Kees] > >On Wed, Apr 06, 2022 at 04:11:31PM +0900, David Stevens wrote: >> From: David Stevens >>=20 >> Add a moduleparam that can be set to bypass the check that limits users >> without CAP_SYS_ADMIN to only being able to read the first 64 bytes of >> the config space=2E This allows systems without problematic hardware to= be >> configured to allow users without CAP_SYS_ADMIN to read PCI >> capabilities=2E > >Can you expand this a bit to explain the purpose of this? I guess it >makes "lspci -v" work without having to be root? How much of a >problem is that? Is there some specific use case that needs this >change? Maybe there's some way to address that without having to add >a new parameter that bypasses CAP_SYS_ADMIN=2E Yeah, this doesn't seem right to me=2E There are tons of ways in userspace= to deal with these permissions (e=2Eg=2E sudo with lspci, suid wrapper, et= c)=2E -Kees > >> Signed-off-by: David Stevens >> --- >> drivers/pci/pci-sysfs=2Ec | 10 +++++++++- >> 1 file changed, 9 insertions(+), 1 deletion(-) >>=20 >> diff --git a/drivers/pci/pci-sysfs=2Ec b/drivers/pci/pci-sysfs=2Ec >> index 602f0fb0b007=2E=2E162423b3c052 100644 >> --- a/drivers/pci/pci-sysfs=2Ec >> +++ b/drivers/pci/pci-sysfs=2Ec >> @@ -28,10 +28,17 @@ >> #include >> #include >> #include >> +#include >> #include "pci=2Eh" >> =20 >> static int sysfs_initialized; /* =3D 0 */ >> =20 >> +static bool allow_unsafe_config_reads; >> +module_param_named(allow_unsafe_config_reads, >> + allow_unsafe_config_reads, bool, 0644); >> +MODULE_PARM_DESC(allow_unsafe_config_reads, >> + "Enable full read access to config space without CAP_SYS_ADMIN=2E")= ; >> + >> /* show configuration fields */ >> #define pci_config_attr(field, format_string) \ >> static ssize_t \ >> @@ -696,7 +703,8 @@ static ssize_t pci_read_config(struct file *filp, s= truct kobject *kobj, >> u8 *data =3D (u8 *) buf; >> =20 >> /* Several chips lock up trying to read undefined config space */ >> - if (file_ns_capable(filp, &init_user_ns, CAP_SYS_ADMIN)) >> + if (allow_unsafe_config_reads || >> + file_ns_capable(filp, &init_user_ns, CAP_SYS_ADMIN)) >> size =3D dev->cfg_size; >> else if (dev->hdr_type =3D=3D PCI_HEADER_TYPE_CARDBUS) >> size =3D 128; >> --=20 >> 2=2E35=2E1=2E1094=2Eg7c7d902a7c-goog >>=20 --=20 Kees Cook