On Tue, Dec 10, 2019 at 04:33:01PM +0100, Landry Breuil wrote:
> On Tue, Dec 10, 2019 at 03:20:15PM +0000, Reyk Floeter wrote:
> > On Tue, Dec 10, 2019 at 02:39:20PM +0000, Stuart Henderson wrote:
> > > On 2019/12/10 13:57, Reyk Floeter wrote:
> > > > +# U2F/FIDO keys
> > > > +/dev/uhid0 rw
> > > > +/dev/uhid1 rw
> > > > +/dev/uhid2 rw
> > > > +/dev/uhid3 rw
> > > > +/dev/uhid4 rw
> > > > +/dev/uhid5 rw
> > > > +/dev/uhid6 rw
> > > > +/dev/uhid7 rw
> > > > +/dev/uhid8 rw
> > > > +/dev/uhid9 rw
> > >
> > > BTW there are several entries in dmesglog with uhid18 (Microsoft Surface
> > > Type Cover) and one with uhid40 (headset + docking station + others).
> > > The 40 seems excessive but it might be worth going up to, say, 20.
> > > (Alternatively it could be dropped to 7 to align with the number of
> > > device nodes created by MAKEDEV by default ..)
> > >
> >
> > I feared that, OK. Let's go for 20 in this case?
> >
> > My authenticator-rs code initially scanned the /dev directory for uhid
> > devices but I changed it to probe the first 100 uhid devices to work
> > under unveil(2) (I didn't want to make /dev rx and there's no
> > unveil(2) way to "read the directory contents without allowing access
> > to its files").
> >
> > > > +This currently only works with pledge.main = disable.
> > >
> > > Another option would be to do this, and remove some lines from the pkg-readme...
> > >
> >
> > Hehe, good point and I wouldn't mind. But even if pledge(2) is
> > enabled with all of its classes, it still limits ioctls and the scope
> > of other syscalls. I don't know, what do people think about this?
>
> Well, i managed to have a 'video' pledge class, so you can probably get
> an 'uhidioctl' class :)
>
btw., the ioctls match the ones that are done by libfido2:
- USB_GET_DEVICEINFO (libfido2 or authenticator-rs)
- USB_GET_REPORT_ID (libfido2 or authenticator-rs)
- USB_GET_REPORT_DESC (libusbhid, used by both)
All of them are read-only (IOR).
Reyk
No comments:
Post a Comment