firewire: cdev: secure add_descriptor ioctl

The access permissions and ownership or ACL of /dev/fw* character device files will typically be set based on the device type of the respective nodes, as obtained by firewire-core from descriptors in the device's configuration ROM. An example policy is to deny write permission by default but grant write permission to files of AV/C video and audio devices and IIDC video devices. The FW_CDEV_IOC_ADD_DESCRIPTOR ioctl could be used to partly subvert such a policy: Find a device file with relaxed permissions, use the ioctl to add a descriptor with AV/C marker to the local node's ROM, thus gain access to the local node's character device file. (This is only possible if there are udev scripts installed which actively relax permissions for known device types and if there is a device of such a type connected.) Accessibility of the local node's device file is relevant to host security if the host contains two or more IEEE 1394 link layer controllers which are plugged into a single bus. Therefore change the ABI to deny FW_CDEV_IOC_ADD_DESCRIPTOR if the file belongs to a remote node. (This change has no impact on known implementers of the ABI: None of them uses the ioctl yet.) Also clarify the documentation: The ioctl affects all local nodes, not just one local node. Cc: stable@kernel.org Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
author: Stefan Richter <stefanr@s5r6.in-berlin.de> 2009-03-10 16:00:23 -0400
committer: Stefan Richter <stefanr@s5r6.in-berlin.de> 2009-03-24 15:56:50 -0400
commit: de487da8ca5839d057e1f4b57ee3f387e180b800 (patch)
tree: 92003bce782f3f1bf49183637d6dac6367c19dd0
parent: c8a25900f35e575938c791507894c036c0f2ca7d (diff)
2 files changed, 12 insertions, 1 deletions
diff --git a/drivers/firewire/fw-cdev.c b/drivers/firewire/fw-cdev.c
index 2784f91896db..160cb27e120c 100644
--- a/drivers/firewire/fw-cdev.c
+++ b/drivers/firewire/fw-cdev.c
@@ -742,9 +742,17 @@ static void release_descriptor(struct client *client,
 static int ioctl_add_descriptor(struct client *client, void *buffer)
 {
        struct fw_cdev_add_descriptor *request = buffer;
+        struct fw_card *card = client->device->card;
        struct descriptor_resource *r;
        int ret;
+        /* Access policy: Allow this ioctl only on local nodes' device files. */
+        spin_lock_irq(&card->lock);
+        ret = client->device->node_id != card->local_node->node_id;
+        spin_unlock_irq(&card->lock);
+        if (ret)
+                return -ENOSYS;
        if (request->length > 256)
                return -EINVAL;
diff --git a/include/linux/firewire-cdev.h b/include/linux/firewire-cdev.h
index de4035792f70..25bc82726ef7 100644
--- a/include/linux/firewire-cdev.h
+++ b/include/linux/firewire-cdev.h
@@ -394,6 +394,9 @@ struct fw_cdev_initiate_bus_reset {
 * If successful, the kernel adds the descriptor and writes back a handle to the
 * kernel-side object to be used for later removal of the descriptor block and
 * immediate key.
+ *
+ * This ioctl affects the configuration ROMs of all local nodes.
+ * The ioctl only succeeds on device files which represent a local node.
 */
 struct fw_cdev_add_descriptor {
        __u32 immediate;
@@ -409,7 +412,7 @@ struct fw_cdev_add_descriptor {
 *              descriptor was added
 *
 * Remove a descriptor block and accompanying immediate key from the local
- * node's configuration ROM.
+ * nodes' configuration ROMs.
 */
 struct fw_cdev_remove_descriptor {
        __u32 handle;
author	Stefan Richter <stefanr@s5r6.in-berlin.de>	2009-03-10 16:00:23 -0400
committer	Stefan Richter <stefanr@s5r6.in-berlin.de>	2009-03-24 15:56:50 -0400
commit	de487da8ca5839d057e1f4b57ee3f387e180b800 (patch)
tree	92003bce782f3f1bf49183637d6dac6367c19dd0
parent	c8a25900f35e575938c791507894c036c0f2ca7d (diff)