• K
    nvme: fine-granular CAP_SYS_ADMIN for nvme io commands · 855b7717
    Kanchan Joshi 提交于
    Currently both io and admin commands are kept under a
    coarse-granular CAP_SYS_ADMIN check, disregarding file mode completely.
    
    $ ls -l /dev/ng*
    crw-rw-rw- 1 root root 242, 0 Sep  9 19:20 /dev/ng0n1
    crw------- 1 root root 242, 1 Sep  9 19:20 /dev/ng0n2
    
    In the example above, ng0n1 appears as if it may allow unprivileged
    read/write operation but it does not and behaves same as ng0n2.
    
    This patch implements a shift from CAP_SYS_ADMIN to more fine-granular
    control for io-commands.
    If CAP_SYS_ADMIN is present, nothing else is checked as before.
    Otherwise, following rules are in place
    - any admin-cmd is not allowed
    - vendor-specific and fabric commmand are not allowed
    - io-commands that can write are allowed if matching FMODE_WRITE
    permission is present
    - io-commands that read are allowed
    
    Add a helper nvme_cmd_allowed that implements above policy.
    Change all the callers of CAP_SYS_ADMIN to go through nvme_cmd_allowed
    for any decision making.
    Since file open mode is counted for any approval/denial, change at
    various places to keep file-mode information handy.
    Signed-off-by: NKanchan Joshi <joshi.k@samsung.com>
    Reviewed-by: NJens Axboe <axboe@kernel.dk>
    Reviewed-by: NKeith Busch <kbusch@kernel.org>
    Reviewed-by: NChaitanya Kulkarni <kch@nvidia.com>
    Signed-off-by: NChristoph Hellwig <hch@lst.de>
    855b7717
nvme.h 44.3 KB