<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div dir="ltr"><div>Problem:</div><div>Has anyone thought about a mechanism to limit/remove an access to a</div><div>device during an application runtime? Meaning we have an application</div><div>that has an open file descriptor to some /dev/node and depending on</div>
<div>*something* it gains or looses the access to it gracefully (with or</div><div>without a notification, but without any fatal consequences).</div><div><br></div><div>Example:</div><div>LXC. Imagine we have 2 separate containers. Both running full operating</div>
<div>systems. Specifically with 2 X servers. Both running concurrently of</div><div>course. Both need the same input devices (e.g. we have just one mouse).</div><div>This creates a security problem when we want to have completely separate</div>
<div>environments. One container is active (being displayed on a monitor and</div><div>controlled with a mouse) while the other container runs evtest</div><div>/dev/input/something and grabs the secret password user typed in the</div>
<div>other.</div><div><br></div><div>Solutions:</div><div>The complete solution would comprise of 2 parts:</div><div>- a mechanism that would allow to temporally "hide" a device from an</div><div>open file descriptor.</div>
<div>- a mechanism for deciding whether application/process/namespace should</div><div>have an access to a specific device at a specific moment</div><div><br></div><div>Let's focus on the first problem only, as it would need to be solved</div>
<div>first anyway. I haven't found anything that would allow me to do</div><div>it. There are a lot mechanisms that make it possible to restrict an</div><div>access during open():</div><div>- DAC</div><div>- ACL (controlled by hand or with uaccess)</div>
<div>- LSM (in general)</div><div>- device cgroups</div><div>But all of those can't do a thing when the device is already opened and</div><div>an application has a file descriptor. I don't see such mechanism in</div>
<div>kernel sources either.</div><div><br></div><div>I do imagine that it would not be possible for every device to handle</div><div>such a thing (dri comes to mind) without breaking something (graphics</div><div>card state in dri example). But there is class of simple input/output</div>
<div>devices that would handle this without problems.</div><div><br></div><div>I did implement some proof-of-concept solution for an evdev driver by</div><div>allowing or disallowing events that go to evdev_client structure using</div>
<div>some arbitrary condition. But this is far from a generic solution.</div><div><br></div><div>My proof-of-concept is somewhat similar to this (I just found it):</div><div><a href="http://www.spinics.net/lists/linux-input/msg25547.html">http://www.spinics.net/lists/linux-input/msg25547.html</a></div>
<div>Though a little bit wider in scope. But neither is flawless nor</div><div>generic.</div><div><br></div><div>Has anyone had any thoughts about a similar problem?</div><div><br></div><div><br></div>-- <br>Regards<br>Havner<br>
</div>
</body></html>