[PATCH 0/2] Granular CAP_SYS_ADMIN
Keith Busch
kbusch at kernel.org
Tue Oct 25 13:07:42 PDT 2022
On Thu, Oct 20, 2022 at 12:32:03PM +0530, Kanchan Joshi wrote:
> #1: Two NS, one with 666 another with 600
> $: ls -l /dev/ng*
> crw-rw-rw- 1 root root 242, 0 Oct 20 12:04 /dev/ng0n1
> crw------- 1 root root 242, 1 Oct 20 12:04 /dev/ng0n2
>
> #2: this should fail
> $: nvme id-ns /dev/ng0n2
> /dev/ng0n2: Permission denied
This looks good to me. The only additional thought I had was to restrict
the identification's nsid parameter to ones readable to the user because
they could just open /dev/ng0n1 instead and override the nsid with the
'--nampespace-id=2' parameter.
But that doesn't look very straight now that I look at it again.
Reviewed-by: Keith Busch <kbusch at kernel.org>
More information about the Linux-nvme
mailing list