From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qk1-f181.google.com (mail-qk1-f181.google.com [209.85.222.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1FC0E3A6B6D for ; Mon, 27 Apr 2026 21:04:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.181 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777323878; cv=none; b=DgmUGeKq3tTP8vO1G0LewNcRW/bX/xkN6EnwRIKvPKA+vz9qwyfcAIf+cplfKBnsyULY5pKGEglIazsgGJgc14VfkDv6RvtRpX0RzcO2Xe81d9ugNkEHbDPEmbdXtetH4vgdv9n4I2+NU6duhJTL4Oanrxul+WSK78dGXaLAiPM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777323878; c=relaxed/simple; bh=PhAmHIuLvpNp7ctmaH4tezCv2LiyD081BC2kdmANgsI=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=CvEv3l/NlsKzWGa3y6SvJ6RZ8zDxreWWBm/BlgiVpNu5rFKRjm5MA6hzx8l3lh51e4TQ8UpVKvQ4SJ+h7o25+4Y+Sywypv6t1rqgrdYwGCd3tHgI64BEiYOU4dVA22SSVvceGcBC/SEnfyrQJMUcM5r8LFERf2m66gnURUgxcWU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=db4jaSZH; arc=none smtp.client-ip=209.85.222.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="db4jaSZH" Received: by mail-qk1-f181.google.com with SMTP id af79cd13be357-8d6d5e45c43so1190316485a.3 for ; Mon, 27 Apr 2026 14:04:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777323876; x=1777928676; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=PhAmHIuLvpNp7ctmaH4tezCv2LiyD081BC2kdmANgsI=; b=db4jaSZHAantfFW8rIBMy/kgpZFYhDyDHjLx0K32yRwR8s3YldNXAonFByV+wggFAk 8rsbl6KK3vy9knSEYbJ5eid7H0Qo951uZThL8QMAeh8+i3UHeSvovALhHUSYklFpmh2O 1I5r7QXIqdl3A48cTPb8jzszgpQT2hMZxiYHP4tVSs86u8nhGjrFVBWzzNY/xOMNOcVv 6Tt0mkS7ibtYHHVGTntz6hIBvqXi4IrZ5eScTGlE2A3yIxO3/jT86AQT3eIuOvVfsopL hu/qjlNKEkDhzZBuouBeYKYQfMS7X1lgsmIgzzJQ/zl9C/MAFB6rsMhjCPp1G+/JWZdj FxfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777323876; x=1777928676; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=PhAmHIuLvpNp7ctmaH4tezCv2LiyD081BC2kdmANgsI=; b=BHFtpZ4/8gptCUN/X9C9FjJQLuMDIQmNqHJnmcMZhURdrhxMGuKuZU2rQnIB/f3T0V uKY2iFkTSjFdl2/DE5RXMDg2YTwmzx6IB/NX4UPGhRKnY6EBHTAlgipF/OPCref9vMkh l1tt/cCXr4Igjrakwc1V5sXYyHdcyV4B1b9xSpFE8zWFglRPQulkZmnW4e3FTVXrqarP FwnLoG5jkFSphFXLi7JqEVXVw/sJQ5utWxNuqElmyuTnkbqEoED70ZC3iKCDGzZLdko8 fwQChIb6u0W+GP0WPA9/235yCX8t28ZB6Up89zl1zb2vrxWvK3OdLdt3q0OUjxmhUtLc f+9A== X-Gm-Message-State: AOJu0YxVk8oZ+H/Jp5gH7ZIiDT4Yd73BZSfvJ5TIg+mlQ5XF2/4Eun7V C07ZNXrf1hpIt49PNSkeCNTV3dGl9zcrykX2N/zguRH7a4/94VLsXQcv5SlEYg== X-Gm-Gg: AeBDietXSS/bJ95T1SwhGaN2+9BXe1q//s6bRicphAhvg8GqDKBywTuKBBp3L1wkuSZ fKUHyGerqPVNRTiw47YChv6ElugmKCmtTwIvwh4gA5cPGba5qIcwV/+sF/8k0RyWZ4jrjZI6BmL XUWbpvDXnigEBXDeJ6bfTuJ4K+or4o8ITbFGBGO1HYxLkZ37Q+aQFe8vZe3jWxKYC3Nu9H+8kuM pPtBP7HwGLPRqmI4pLt+LRCjwUcQdEWRXAqF5TMVgIhwA+4vcAUOEta/T8hu37oxVXvrKaPE7mH 677XgB3xfQJ8Odz1V/cWtMBxsvSPgPAH57VKNBKJQrVgdERLu2FcQNuiUUxhNxFxAfpsHTqnrgS o7pGTFm6rxIIeVuL/lh0qdl2iqY6K/tFbvh3euVbrEYx9ZGLIHvyqdsfkt87bIOeCSPZenF8ck9 8wNH3tGNQtSS+M1fQW5BhkCX0NjKqdeYvWO2gsmUqCU9QLwPfKpyJ+RyxseAXxxVwZHI5ndNzfo 8EJ3vUJ X-Received: by 2002:ac8:7d8c:0:b0:50f:b61c:ec5b with SMTP id d75a77b69052e-5100e101a2emr2826771cf.11.1777323875937; Mon, 27 Apr 2026 14:04:35 -0700 (PDT) Received: from ?IPV6:2620:10d:c0a8:11d1::11a0? ([2620:10d:c091:400::4:304d]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-5100da66595sm3442071cf.10.2026.04.27.14.04.34 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 27 Apr 2026 14:04:35 -0700 (PDT) Message-ID: <56faf6ae-885a-421b-b945-8255edd04331@gmail.com> Date: Mon, 27 Apr 2026 17:04:34 -0400 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH net] net: psp: require admin permission for dev-set and key-rotate To: Jakub Kicinski , davem@davemloft.net Cc: netdev@vger.kernel.org, edumazet@google.com, pabeni@redhat.com, andrew+netdev@lunn.ch, horms@kernel.org, willemdebruijn.kernel@gmail.com, donald.hunter@gmail.com References: <20260427195856.401223-1-kuba@kernel.org> Content-Language: en-US From: Daniel Zahka In-Reply-To: <20260427195856.401223-1-kuba@kernel.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 4/27/26 3:58 PM, Jakub Kicinski wrote: > The dev-set and key-rotate netlink operations modify shared device > state (PSP version configuration and cryptographic key material, > respectively) but do not require CAP_NET_ADMIN. The only access > control is psp_dev_check_access() which merely verifies netns > membership. > > Fixes: 00c94ca2b99e ("psp: base PSP device support") > Signed-off-by: Jakub Kicinski Reviewed-by: Daniel Zahka