[PATCH] nvme: restrict management ioctls to admin
Kanchan Joshi
joshi.k at samsung.com
Fri Sep 9 06:11:55 PDT 2022
On Thu, Sep 08, 2022 at 02:35:17PM -0700, Keith Busch wrote:
>From: Keith Busch <kbusch at kernel.org>
>
>The passthrough commands already have this restriction, but the other
>operations do not. Require the same capabilities for all users as all of
>these operations can be disruptive.
>
>Signed-off-by: Keith Busch <kbusch at kernel.org>
>---
> drivers/nvme/host/ioctl.c | 3 +++
> 1 file changed, 3 insertions(+)
>
>diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c
>index 27614bee7380..d23978e993c6 100644
>--- a/drivers/nvme/host/ioctl.c
>+++ b/drivers/nvme/host/ioctl.c
>@@ -749,6 +749,9 @@ long nvme_dev_ioctl(struct file *file, unsigned int cmd,
> struct nvme_ctrl *ctrl = file->private_data;
> void __user *argp = (void __user *)arg;
>
>+ if (!capable(CAP_SYS_ADMIN))
>+ return -EACCES;
>+
I too came across this and wondered why this check is not present here.
Acked-by: Kanchan Joshi <joshi.k at samsung.com>
It's a different matter that I was looking at increasing the access
granularity (something like scsi whitelisting). Hope to have
conversations on a RFC soon.
>
>
More information about the Linux-nvme
mailing list