[PATCH] nvme: restrict management ioctls to admin

public inbox for linux-nvme@lists.infradead.org
 help / color / mirror / Atom feed

* [PATCH] nvme: restrict management ioctls to admin
@ 2022-09-08 21:35 ` Keith Busch
  2022-09-09 13:11   ` Kanchan Joshi
                     ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Keith Busch @ 2022-09-08 21:35 UTC (permalink / raw)
  To: linux-nvme, hch, sagi; +Cc: Keith Busch

From: Keith Busch <kbusch@kernel.org>

The passthrough commands already have this restriction, but the other
operations do not. Require the same capabilities for all users as all of
these operations can be disruptive.

Signed-off-by: Keith Busch <kbusch@kernel.org>
---
 drivers/nvme/host/ioctl.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c
index 27614bee7380..d23978e993c6 100644
--- a/drivers/nvme/host/ioctl.c
+++ b/drivers/nvme/host/ioctl.c
@@ -749,6 +749,9 @@ long nvme_dev_ioctl(struct file *file, unsigned int cmd,
 	struct nvme_ctrl *ctrl = file->private_data;
 	void __user *argp = (void __user *)arg;
 
+	if (!capable(CAP_SYS_ADMIN))
+		return -EACCES;
+
 	switch (cmd) {
 	case NVME_IOCTL_ADMIN_CMD:
 		return nvme_user_cmd(ctrl, NULL, argp);
-- 
2.30.2



^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] nvme: restrict management ioctls to admin
  2022-09-08 21:35 ` [PATCH] nvme: restrict management ioctls to admin Keith Busch
@ 2022-09-09 13:11   ` Kanchan Joshi
  2022-09-09 14:57   ` Jens Axboe
  2022-09-09 15:11   ` Christoph Hellwig
  2 siblings, 0 replies; 5+ messages in thread
From: Kanchan Joshi @ 2022-09-09 13:11 UTC (permalink / raw)
  To: Keith Busch; +Cc: linux-nvme, hch, sagi, Keith Busch

[-- Attachment #1: Type: text/plain, Size: 1095 bytes --]

On Thu, Sep 08, 2022 at 02:35:17PM -0700, Keith Busch wrote:
>From: Keith Busch <kbusch@kernel.org>
>
>The passthrough commands already have this restriction, but the other
>operations do not. Require the same capabilities for all users as all of
>these operations can be disruptive.
>
>Signed-off-by: Keith Busch <kbusch@kernel.org>
>---
> drivers/nvme/host/ioctl.c | 3 +++
> 1 file changed, 3 insertions(+)
>
>diff --git a/drivers/nvme/host/ioctl.c b/drivers/nvme/host/ioctl.c
>index 27614bee7380..d23978e993c6 100644
>--- a/drivers/nvme/host/ioctl.c
>+++ b/drivers/nvme/host/ioctl.c
>@@ -749,6 +749,9 @@ long nvme_dev_ioctl(struct file *file, unsigned int cmd,
> 	struct nvme_ctrl *ctrl = file->private_data;
> 	void __user *argp = (void __user *)arg;
>
>+	if (!capable(CAP_SYS_ADMIN))
>+		return -EACCES;
>+

I too came across this and wondered why this check is not present here.

Acked-by: Kanchan Joshi <joshi.k@samsung.com>

It's a different matter that I was looking at increasing the access
granularity (something like scsi whitelisting). Hope to have
conversations on a RFC soon.
>
>

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] nvme: restrict management ioctls to admin
  2022-09-08 21:35 ` [PATCH] nvme: restrict management ioctls to admin Keith Busch
  2022-09-09 13:11   ` Kanchan Joshi
@ 2022-09-09 14:57   ` Jens Axboe
  2022-09-09 15:11   ` Christoph Hellwig
  2 siblings, 0 replies; 5+ messages in thread
From: Jens Axboe @ 2022-09-09 14:57 UTC (permalink / raw)
  To: Keith Busch, linux-nvme, hch, sagi; +Cc: Keith Busch

On 9/8/22 3:35 PM, Keith Busch wrote:
> From: Keith Busch <kbusch@kernel.org>
> 
> The passthrough commands already have this restriction, but the other
> operations do not. Require the same capabilities for all users as all of
> these operations can be disruptive.

Would it be saner to require that you have write permissions on the
opened device? Not sure this CAP_SYS_ADMIN is really necessary,
and might break existing setups as this is new.

I do agree that passthrough and sync ioctl based issue should be
consistent, though.

-- 
Jens Axboe




^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] nvme: restrict management ioctls to admin
  2022-09-08 21:35 ` [PATCH] nvme: restrict management ioctls to admin Keith Busch
  2022-09-09 13:11   ` Kanchan Joshi
  2022-09-09 14:57   ` Jens Axboe
@ 2022-09-09 15:11   ` Christoph Hellwig
  2022-09-12 12:24     ` Sagi Grimberg
  2 siblings, 1 reply; 5+ messages in thread
From: Christoph Hellwig @ 2022-09-09 15:11 UTC (permalink / raw)
  To: Keith Busch; +Cc: linux-nvme, hch, sagi, Keith Busch

On Thu, Sep 08, 2022 at 02:35:17PM -0700, Keith Busch wrote:
> From: Keith Busch <kbusch@kernel.org>
> 
> The passthrough commands already have this restriction, but the other
> operations do not. Require the same capabilities for all users as all of
> these operations can be disruptive.

Where "these operations" are: NVME_IOCTL_RESET, NVME_IOCTL_SUBSYS_RESET,
NVME_IOCTL_RESCAN.  Yes, I think those are very disruptive and the
definition of what CAP_SYS_ADMIN was designed for, but that should
be spelled out in the commit log.

That being said I think we should just do the capable() check in the
individul ioctl opcode to document things better, even if that does't
currently make any difference.  Any we really need a FIXES tag going
back to the addition of the first of these ioctls.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] nvme: restrict management ioctls to admin
  2022-09-09 15:11   ` Christoph Hellwig
@ 2022-09-12 12:24     ` Sagi Grimberg
  0 siblings, 0 replies; 5+ messages in thread
From: Sagi Grimberg @ 2022-09-12 12:24 UTC (permalink / raw)
  To: Christoph Hellwig, Keith Busch; +Cc: linux-nvme, Keith Busch


>> The passthrough commands already have this restriction, but the other
>> operations do not. Require the same capabilities for all users as all of
>> these operations can be disruptive.
> 
> Where "these operations" are: NVME_IOCTL_RESET, NVME_IOCTL_SUBSYS_RESET,
> NVME_IOCTL_RESCAN.  Yes, I think those are very disruptive and the
> definition of what CAP_SYS_ADMIN was designed for, but that should
> be spelled out in the commit log.
> 
> That being said I think we should just do the capable() check in the
> individul ioctl opcode to document things better, even if that does't
> currently make any difference.

Agree.

>  Any we really need a FIXES tag going
> back to the addition of the first of these ioctls.

100% agree on the fixes tag


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2022-09-12 12:24 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <CGME20220908214000epcas5p1a9bf63bc35632888248e094daacbcbde@epcas5p1.samsung.com>
2022-09-08 21:35 ` [PATCH] nvme: restrict management ioctls to admin Keith Busch
2022-09-09 13:11   ` Kanchan Joshi
2022-09-09 14:57   ` Jens Axboe
2022-09-09 15:11   ` Christoph Hellwig
2022-09-12 12:24     ` Sagi Grimberg

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox