Received: by 10.223.164.197 with SMTP id h5csp794745wrb; Sun, 5 Nov 2017 01:12:41 -0800 (PST) X-Google-Smtp-Source: ABhQp+SOM1Erd62b27eLO+O4C3Kz6z/+/Yr3UZXA76sVgzMoldmXmlRygnqKHiOvKlhFNTocy0ig X-Received: by 10.99.181.67 with SMTP id u3mr12237120pgo.118.1509873161096; Sun, 05 Nov 2017 01:12:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1509873161; cv=none; d=google.com; s=arc-20160816; b=MVjmXGA+o5ZZdMO7xvc1LgDqAg1kUbRjCYPP8LBZTJ7s4SphVmH0t2Y1q1K/HimSep nQD/rjUnAQvYS9Ebg+W4t6898X1UVbobOrSQtQlPS7goxiGE6lTF1Z2vdbMGz4TrhP88 6cIx+P9j440kH3Ms5HIMcyByS0bRScMBr5s9EaFGdhuRS0a8S7kcyLx1QaMmt+tEBxFj 7j77eicd8lexAFvpvIQh6dHXZCrdRhEVCf/v218gGnIcm+dxwbWVvRyUx3j4qQPQqBvk ie1bABcwjzbqm/jVKP8rXQAKxlE8P6dWiU3PzNzB7w9RDwCcaQHK5QEVTR5XD6Tibv4A 8SmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=uKvmScgRbr+AWN/kK3akyUcNv5Xu6ugMMjfRVYJky3s=; b=fzP8aaxZqgQuRNoVFZj4Fbgayrqy28Qp9bTPH6o6AJrRN6HmwByffK6U1praHX74Iu gEOZe2dtqwh/qwXKtlrdBBppCCoZN1VXrF5ng+G6OdDrs0Ef3V7oVR+jmuf/1o/MEkQV ENs0oZf9SG3CLu1uZsOnITtiktU5UxU0YMtMZHPrZXM8boTZjgvMndnP6GxZlsjOCCYI /oJpPoPe1UiD60WmzTuLUBoPUpOSqaahnvifPPmhjGmm/u/8bwaLRLgBm1iLysmL4FOy mmhev4cnd+WChvDwgAezJdxCK0oRB/PqSVTEDwcA+SQ8Io9WQNcL9fJo6G23lJMamOYy p3bA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cyphar-com.20150623.gappssmtp.com header.s=20150623 header.b=JEn4365k; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u63si9409708pgd.551.2017.11.05.01.12.18; Sun, 05 Nov 2017 01:12:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@cyphar-com.20150623.gappssmtp.com header.s=20150623 header.b=JEn4365k; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752331AbdKEJLZ (ORCPT + 96 others); Sun, 5 Nov 2017 04:11:25 -0500 Received: from mail-qt0-f195.google.com ([209.85.216.195]:53379 "EHLO mail-qt0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750932AbdKEJLW (ORCPT ); Sun, 5 Nov 2017 04:11:22 -0500 Received: by mail-qt0-f195.google.com with SMTP id n61so7734189qte.10 for ; Sun, 05 Nov 2017 01:11:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cyphar-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=uKvmScgRbr+AWN/kK3akyUcNv5Xu6ugMMjfRVYJky3s=; b=JEn4365k6vUxooDrMxb7R40blAzc0iJLTdazYNI+IprUR+TCi11v8GVHOAlgVe+W1x xooajrmpeHtX9E3HP3yWj6zY7OYjsRrIVAI78CklRC4l7tz9VeQs/YdH9iaDfFHuiwYP 7d9Z0aeMW+8CtneSHVtLOvuywFtzPSQx0V0l8FdPMxdNxWIbegAH0BwKY06cdpYTO4/q MnIXVzVuEx7Irm/0FlPNocBMh+XUMHZ/14M50sf7dTd3kwhvUeeGgj1+45aMUFmy3v8/ x8eYejFWqo6kFGcc7XfLEFPGJ9Y1J9ZKgTk9fk4/AwvITKfCxNkFHeD/cGOUKvui+N6p 6FHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=uKvmScgRbr+AWN/kK3akyUcNv5Xu6ugMMjfRVYJky3s=; b=YzDmDuTPXJxUhkXtDzIG8OFyKtEQken+OrFMb7MeqEntiJvx0TdQNQsPDyiZg0Zecw 8u7BobQ8P1m00rDvFgp1Hlz6iMW+kNGX1B1TrfTpqs5kD+T1CWplXLeywlxGE7Vud377 XIOLVPqBQYiORHo+7J2XrKBWHD6ERHnotV2ieC/+hIM/f7Ef9fpM6VydA66bK6q5YML0 fdEtP7O4Lm3VK7YFLerY6Fv4p/FwoCxi0o1dt1AJzUyqHxM/WtqIamy89ita2Uu/myIt KCL68FepVpml6QAviZuRbxtkA9egtaIrrOmaoezokKHkJ7L8WULFTz3rZ19monYNkbhr slkg== X-Gm-Message-State: AMCzsaUUPm9F4JetrPp0jiF2+mBnrNEcnSpVHCf3KbR4ydTnPDesrSgv mDdVx+CfURdguxE9KyiVmraWSB8vtJ9KuRP+lwHd5w== X-Received: by 10.237.53.198 with SMTP id d6mr17345649qte.20.1509873081479; Sun, 05 Nov 2017 01:11:21 -0800 (PST) MIME-Version: 1.0 Received: by 10.140.94.172 with HTTP; Sun, 5 Nov 2017 01:11:20 -0800 (PST) X-Originating-IP: [119.17.55.170] In-Reply-To: <20171105073121.GB1431@kroah.com> References: <20171105025635.10843-1-asarai@suse.de> <20171105073121.GB1431@kroah.com> From: Aleksa Sarai Date: Sun, 5 Nov 2017 20:11:20 +1100 Message-ID: Subject: Re: [PATCH v3] scsi: require CAP_SYS_ADMIN to write to procfs interface To: Greg KH Cc: Aleksa Sarai , "James E.J. Bottomley" , "Martin K. Petersen" , linux-scsi@vger.kernel.org, linux-kernel@vger.kernel.org, containers@lists.linux-foundation.org, Valentin Rothberg , stable@vger.kernel.org, "Eric W. Biederman" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I've booted it on a few of my laptops, and nothing seemed to break. Is there a particular test-suite you'd recommend that I run? On Sun, Nov 5, 2017 at 6:31 PM, Greg KH wrote: > On Sun, Nov 05, 2017 at 01:56:35PM +1100, Aleksa Sarai wrote: >> Previously, the only capability effectively required to operate on the >> /proc/scsi interface was CAP_DAC_OVERRIDE (or for some other files, >> having an fsuid of GLOBAL_ROOT_UID was enough). This means that >> semi-privileged processes could interfere with core components of a >> system (such as causing a DoS by removing the underlying SCSI device of >> the host's / mount). > > Given that the previous patch didn't even compile, I worry that you have > not tested this at all to see what breaks/changes in userspace with this > type of user-visable api change. > > What did you do to test this? > > thanks, > > greg k-h -- Aleksa Sarai (cyphar) www.cyphar.com From 1583210504340739943@xxx Sun Nov 05 07:33:15 +0000 2017 X-GM-THRID: 1583193190987872787 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread