[PATCH] nvme: restrict management ioctls to admin
Sagi Grimberg
sagi at grimberg.me
Mon Sep 12 05:24:06 PDT 2022
>> The passthrough commands already have this restriction, but the other
>> operations do not. Require the same capabilities for all users as all of
>> these operations can be disruptive.
>
> Where "these operations" are: NVME_IOCTL_RESET, NVME_IOCTL_SUBSYS_RESET,
> NVME_IOCTL_RESCAN. Yes, I think those are very disruptive and the
> definition of what CAP_SYS_ADMIN was designed for, but that should
> be spelled out in the commit log.
>
> That being said I think we should just do the capable() check in the
> individul ioctl opcode to document things better, even if that does't
> currently make any difference.
Agree.
> Any we really need a FIXES tag going
> back to the addition of the first of these ioctls.
100% agree on the fixes tag
More information about the Linux-nvme
mailing list