LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Multipath TCP: an overview

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The trouble with CAP_SYS_RAWIO

The trouble with CAP_SYS_RAWIO

Posted Mar 14, 2013 19:52 UTC (Thu) by WolfWings (subscriber, #56790)
In reply to: The trouble with CAP_SYS_RAWIO by mjg59
Parent article: The trouble with CAP_SYS_RAWIO

Actually I don't believe the suggestion change (move the check for write-modes to the open()) breaks userspace. Not the 'silent downgrade to read-only' which is the entire problem right now and identical to the 'check on write()' problem.

Right now you don't appear to be able to drop-all-caps then open /dev/msr, you need to open it first then drop privs as there already is a check to block so much as reads unless you have the RAWIO cap.

So how does the "read = RAWIO, write = RAWIO && COMPROMISE" check on open() instead of on write() break userspace? Programs would be refused access to /dev/msr and complain about it, same as before, and their existing 'Check your caps!' error messages would still apply.

There's a difference between 'breaking' userspace in a way that existing apps error messages don't apply and may not even have error-handling paths for the new issues, and simply enforcing stronger checks in a way compatible with existing error handling.

(Log in to post comments)

The trouble with CAP_SYS_RAWIO

Posted Mar 14, 2013 20:03 UTC (Thu) by mjg59 (subscriber, #23239) [Link]

A program used to work. After a change, that program no longer works. A non-working program is broken. Breaking that program doesn't add any real additional security in the common (ie, non-Secure Boot) case, and so is undesirable.

The trouble with CAP_SYS_RAWIO

Posted Mar 17, 2013 15:46 UTC (Sun) by mrjk (subscriber, #48482) [Link]

With the suggested change there would be no program that used to work that would not work now that I can see. Every single current program that worked with dropping privileges after an open would still work the exact same way with caching the new capability at open time and using the cached value on those opened channels.

Can you give an example that would now break -- that wouldn't have broken already?

The trouble with CAP_SYS_RAWIO

Posted Mar 17, 2013 17:02 UTC (Sun) by mjg59 (subscriber, #23239) [Link]

Any application that drops all privileges other than CAP_SYS_RAWIO before attempting the open?

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds