[RFC 1/2] nvme: add whitelisting infrastructure

Christoph Hellwig hch at lst.de
Fri Sep 9 22:34:03 PDT 2022


On Fri, Sep 09, 2022 at 10:57:44AM -0600, Keith Busch wrote:
> On Fri, Sep 09, 2022 at 10:03:06PM +0530, Kanchan Joshi wrote:
> > +bool nvme_admin_cmd_allowed(u8 opcode, fmode_t mode)
> > +{
> > +	/* allowed few read-only commands post the mode check */
> > +	switch (opcode) {
> > +	case nvme_admin_identify:
> > +	case nvme_admin_get_log_page:
> > +	case nvme_admin_get_features:
> > +		return (mode & FMODE_READ);
> 
> Some log pages have read side effects, like Namespace Changed List or anything
> latched to RAE. That opcode seems a little more dangerous than the others in
> the whitelist.

Yes.  Some of the log pages (e.g. the persistent error log, or the LBA
status log) are also getting really close to covert channels.  Can we
please have really good justifications for why we'd whitelist anything
on the admin side?



More information about the Linux-nvme mailing list