[RFC 0/2] nvme : Add whitelist for admin commands in passthru

Joel Granados j.granados at samsung.com
Fri Oct 7 06:22:54 PDT 2022 

What?
In this patch set we implement a dynamic whitelist for admin opcodes that
will allow the privileged user to define what opcodes can be used by the
unprivileged user in the passthru path. Applications will not only be
restricted by the whitelist, but will also need write permissions for the
device.

There are questions at the end of the cover letter for people to chime in.
I'll take these comments and hopefully send a V1 soon after.

Why?
Applications with write permissions should not need to be privileged to
write to the device. With Kanchan's latest patch
(https://lore.kernel.org/linux-nvme/20220927183620.12583-1-joshi.k@samsung.com/)
the nvme IO commands in passthru now follow device permissions however
privileged execution is still needed for admin commands like identify that
usually come before the actual write.  This patchset removes this requirement.

We can't foresee what subset of the existing admin commands will be used
nor what new ones will be added to future versions of the nvme
specification. Therefore we go with a dynamic whitelist instead of a
hardcoded one.

How?
We added an ioctl (NVME_IOCTL_PTHRU_WLIST) that controls adding, removing
and testing admin opcode to the whitelist for the passthru path. It can
only be used by privileged users (CAP_SYS_ADMIN).  Given that the nvme
identify opcode is usually needed to generate IO, we add it to the
whitelist by default.

I have rebased this on top of Kanchans "nvme: fine-granular CAP_SYS_ADMIN
for nvme io commands"
(https://lore.kernel.org/linux-nvme/20220927183620.12583-1-joshi.k@samsung.com/)
because this only makes sense if we can also do IO as unprivileged.

Questions:
1. I initialize the whitelist at the end of nvme_core_init. I put it there
   as I saw that that is where the module specific stuff what being
   initialized. Is there another function that is better?

2. Scope of the whitelist is the driver. There is only one whitelist for
   all the nvme devices. You can further control which devices use the
   whitelist with device file permissions. All devices with WRITE
   permissions are able to execute all whitelisted opcods. Any comments?

3. I went with the ioctl name of NVME_IOCTL_PTRHU_WLIST. Are there
   alternatives?

4. I have left the nvme_admin_identify cmd active by default as it is the
   one that I think would be used for simple most IO commands. Comments?

Joel Granados (2):
  nvme : Add dynamic whitelisting for passthru
  nvme : Add ioctls for passthru admin whitelisting

 drivers/nvme/host/core.c        | 10 ++++++++
 drivers/nvme/host/ioctl.c       | 43 +++++++++++++++++++++++++++++++--
 drivers/nvme/host/nvme.h        |  1 +
 include/linux/nvme.h            |  1 +
 include/uapi/linux/nvme_ioctl.h | 14 +++++++++++
 5 files changed, 67 insertions(+), 2 deletions(-)

-- 
2.30.2

More information about the Linux-nvme mailing list