[go: up one dir, main page]

Updated drv.c to set module files read attr for all users, only root to be able to write.

berglhrequested to merge
berglh/ryzen_smu:master into master

I figured out where the module permission was being set and used the following reference to set read attributes for all users, leaving only root to be able to write to the writable files. https://www.gnu.org/software/libc/manual/html_node/Permission-Bits.html

This merge request suggests that any user should be able to read the PM table and other module files without hinderance but write methods to SMU should be protected by root due to the potential, accidental or otherwise, to cause damage to your system.

I'm unsure if it's necessary for global "other" users to have read access to the writable files, so we could remove S_IRGRP | S_IROTH from __RW_ATTR if this is the case for the least required permissions.

Resultant permissions:

~$ ls -lah /sys/kernel/ryzen_smu_drv/
total 0
drwxr-xr-x  2 root root    0 Dec 17 12:49 .
drwxr-xr-x 18 root root    0 Dec 17 08:18 ..
-r--r--r--  1 root root 4.0K Dec 17 12:49 codename
-r--r--r--  1 root root 4.0K Dec 17 12:49 drv_version
-rw-r--r--  1 root root 4.0K Dec 17 12:49 hsmp_smu_cmd
-r--r--r--  1 root root 4.0K Dec 17 12:49 mp1_if_version
-rw-r--r--  1 root root 4.0K Dec 17 12:49 mp1_smu_cmd
-r--r--r--  1 root root 4.0K Dec 17 12:49 pm_table
-r--r--r--  1 root root 4.0K Dec 17 12:49 pm_table_size
-r--r--r--  1 root root 4.0K Dec 17 12:49 pm_table_version
-rw-r--r--  1 root root 4.0K Dec 17 12:49 rsmu_cmd
-rw-r--r--  1 root root 4.0K Dec 17 12:49 smn
-rw-r--r--  1 root root 4.0K Dec 17 12:49 smu_args
-r--r--r--  1 root root 4.0K Dec 17 12:49 version

In the context of my monitoring tool, I would like to provide the ability to write PPT/EDC/TDC limits. To do this, I can write the payload using pkexec as an os subprocess which will prompt the user for their password to write the settings to file as a layer of protection.

I've built and tested this patch, and I'm able to successfully parse the PM table using my regular user, which makes it possible to run read-only monitoring code in non-root/sudo user which is obviously preferable from a system safety perspective.

Edited by berglh

Merge request reports