LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

A privilege escalation via SCSI pass-through

A privilege escalation via SCSI pass-through

Posted Jan 6, 2012 10:02 UTC (Fri) by lacos (subscriber, #70616)
In reply to: A privilege escalation via SCSI pass-through by dougg
Parent article: A privilege escalation via SCSI pass-through

SCSI targets accessible from within a VM would themselves be virtual; for example with storage backed from a file (or partition) on the host machine

That's about the default: virtual disks. However, please look at the title: "SCSI pass-through". The idea is to let the guest use the host's resource directly, with its own driver (strictly restricted to boundaries configured in the host).

What's passed-through is a partition, not a complete disk. So the configuration is correct, the partition is basically dedicated to the guest. But the boundaries (ie. partition, not full drive) are not properly enforced by the host.

Just my two cents.

(Log in to post comments)

A privilege escalation via SCSI pass-through

Posted Jan 7, 2012 22:02 UTC (Sat) by giraffedata (subscriber, #1954) [Link]

However, please look at the title: "SCSI pass-through".

The pass-through that refers to is passing through the block layer, so as to access the underlying SCSI storage device instead of the block device. In a virtual machine, the underlying SCSI storage device is a virtual SCSI device which itself uses an underlying real SCSI device as a resource. The issuer of a pass-through ioctl isn't supposed to have any concept of a VM host.

The kind of pass-through you're talking about is also a reasonable concept, but the way you would implement it is by defining a pass-through SCSI command class (analogous to Write or Request Sense or Eject) and having the virtual SCSI device implement it. The Passthrough CDB would include a CDB to be passed through.

It does not make any sense for an "eject" command specifying a virtual device to cause a real flash drive to eject, but there could be a "hosteject" command that ejects the underlying real flash drive. It would use a SCSI passthrough ioctl that specifies a CDB that specifies a Passthrough SCSI command that specifies an Eject command.

Leaving out the whole virtual machine scenario, it's probably just as reasonable to do SCSI pass-through to a partition block device as to a whole-device block device. In both cases, the user is insinuating himself into Linux internals -- the fact that Linux uses a SCSI device in some way to implement the block device.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds