From owner-cvs-all  Sun Jan 26 14:21:17 2003
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id DEC6D37B401; Sun, 26 Jan 2003 14:21:15 -0800 (PST)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 4879343EB2; Sun, 26 Jan 2003 14:21:15 -0800 (PST)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.12.6/8.12.5) with SMTP id h0QML7P4015280;
	Sun, 26 Jan 2003 17:21:07 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Sun, 26 Jan 2003 17:21:06 -0500 (EST)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: Garrett Wollman <wollman@lcs.mit.edu>
Cc: Poul-Henning Kamp <phk@FreeBSD.org>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/sbin/disklabel disklabel.c
In-Reply-To: <200301262214.h0QMEfiV078221@khavrinen.lcs.mit.edu>
Message-ID: <Pine.NEB.3.96L.1030126171900.24134P-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG


On Sun, 26 Jan 2003, Garrett Wollman wrote:

> <<On Sun, 26 Jan 2003 13:55:43 -0800 (PST), Poul-Henning Kamp <phk@FreeBSD.org> said:
> 
> >   If we fail to open O_RDWR, try opening O_RDONLY, if we use ioctls
> >   to fiddle the disk we can get away with it.
>   
> Uh, if the ioctls actually succeed in fiddling the disk, that's a
> serious security problem.
> 
> Probably there should be a separate .ctl node for these sorts of
> operations.

We've always had a problem with ioctl's operating on storage devices
regardless of the open mode (and permitted access modes) for the devidce
nodes.  For some device drivers, mediation occurs in the ioctl() 
implementation via some arbitrary calls to suser(), but for many, it
doesn't.  Unfortunately, ioctl() is intentionally a semantic-free
interface such that mediation must always be done at the device layer, and
we can't perform masking at higher layers where we have the open mode
available.  If we passed the 'struct file' mode down the stack more, we
could clean that up some, although the result would still arguably be
unclean.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Network Associates Laboratories



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message