linux

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-05-03 15:51:40 -04:00

Go to file

Kanchan Joshi 855b7717f4 nvme: fine-granular CAP_SYS_ADMIN for nvme io commands

Currently both io and admin commands are kept under a
coarse-granular CAP_SYS_ADMIN check, disregarding file mode completely.

$ ls -l /dev/ng*
crw-rw-rw- 1 root root 242, 0 Sep  9 19:20 /dev/ng0n1
crw------- 1 root root 242, 1 Sep  9 19:20 /dev/ng0n2

In the example above, ng0n1 appears as if it may allow unprivileged
read/write operation but it does not and behaves same as ng0n2.

This patch implements a shift from CAP_SYS_ADMIN to more fine-granular
control for io-commands.
If CAP_SYS_ADMIN is present, nothing else is checked as before.
Otherwise, following rules are in place
- any admin-cmd is not allowed
- vendor-specific and fabric commmand are not allowed
- io-commands that can write are allowed if matching FMODE_WRITE
permission is present
- io-commands that read are allowed

Add a helper nvme_cmd_allowed that implements above policy.
Change all the callers of CAP_SYS_ADMIN to go through nvme_cmd_allowed
for any decision making.
Since file open mode is counted for any approval/denial, change at
various places to keep file-mode information handy.

Signed-off-by: Kanchan Joshi <joshi.k@samsung.com>
Reviewed-by: Jens Axboe <axboe@kernel.dk>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>

2022-11-15 10:50:30 +01:00

arch

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

2022-10-23 15:00:43 -07:00

block

blk-mq: simplify blk_mq_realloc_tag_set_tags

2022-11-10 11:18:09 -07:00

certs

certs: make system keyring depend on built-in x509 parser

2022-09-24 04:31:18 +09:00

crypto

treewide: use get_random_bytes() when possible

2022-10-11 17:42:58 -06:00

Documentation

ABI: sysfs-bus-pci: add documentation for p2pmem allocate

2022-11-09 11:29:21 -07:00

drivers

nvme: fine-granular CAP_SYS_ADMIN for nvme io commands

2022-11-15 10:50:30 +01:00

Merge tag 'efi-fixes-for-v6.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi

2022-10-21 18:02:36 -07:00

include

nvme: fine-granular CAP_SYS_ADMIN for nvme io commands

2022-11-15 10:50:30 +01:00

init

init: Kconfig: fix spelling mistake "satify" -> "satisfy"

2022-10-20 21:27:22 -07:00

io_uring

io_uring/net: fail zc sendmsg when unsupported by socket

2022-10-22 08:43:03 -06:00

ipc

Merge tag 'mm-nonmm-stable-2022-10-11' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm

2022-10-12 11:00:22 -07:00

kernel

kernel/utsname_sysctl.c: Fix hostname polling

2022-10-23 12:01:01 -07:00

lib

lib/raid6: drop RAID6_USE_EMPTY_ZERO_PAGE

2022-11-14 09:35:50 -08:00

LICENSES

LICENSES/LGPL-2.1: Add LGPL-2.1-or-later as valid identifiers

2021-12-16 14:33:10 +01:00

mm: introduce FOLL_PCI_P2PDMA to gate getting PCI P2PDMA pages

2022-11-09 11:29:20 -07:00

net

Merge tag 'io_uring-6.1-2022-10-22' of git://git.kernel.dk/linux

2022-10-23 09:55:50 -07:00

rust

Kbuild: add Rust support

2022-09-28 09:02:20 +02:00

samples

Merge tag 'vfio-v6.1-rc1' of https://github.com/awilliam/linux-vfio

2022-10-12 14:46:48 -07:00

scripts

Merge tag 'kbuild-fixes-v6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild

2022-10-16 11:12:22 -07:00

security

selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()

2022-10-19 09:55:53 -04:00

sound

Merge tag 'sound-fix-6.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

2022-10-14 13:22:14 -07:00

tools

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

2022-10-23 15:00:43 -07:00

usr

usr/gen_init_cpio.c: remove unnecessary -1 values from int file

2022-10-03 14:21:44 -07:00

virt

kvm: Add support for arch compat vm ioctls

2022-10-22 05:15:23 -04:00

.clang-format

PCI/DOE: Add DOE mailbox support functions

2022-07-19 15:38:04 -07:00

.cocciconfig

scripts: add Linux .cocciconfig for coccinelle

2016-07-22 12:13:39 +02:00

.get_maintainer.ignore

get_maintainer: add Alan to .get_maintainer.ignore

2022-08-20 15:17:44 -07:00

.gitattributes

.gitattributes: use 'dts' diff driver for dts files

2019-12-04 19:44:11 -08:00

.gitignore

Kbuild: add Rust support

2022-09-28 09:02:20 +02:00

.mailmap

mailmap: update email for Qais Yousef

2022-10-20 21:27:21 -07:00

.rustfmt.toml

rust: add .rustfmt.toml

2022-09-28 09:02:20 +02:00

COPYING

COPYING: state that all contributions really are covered by this file

2020-02-10 13:32:20 -08:00

CREDITS

Merge tag 'drm-next-2022-08-03' of git://anongit.freedesktop.org/drm/drm

2022-08-03 19:52:08 -07:00

Kbuild

Merge tag 'kbuild-v6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild

2022-10-10 12:00:45 -07:00

Kconfig

kbuild: ensure full rebuild when the compiler is updated

2020-05-12 13:28:33 +09:00

MAINTAINERS

Merge tag 'pci-v6.1-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci

2022-10-22 15:52:36 -07:00

Makefile

Linux 6.1-rc2

2022-10-23 15:27:33 -07:00

README

Drop all 00-INDEX files from Documentation/

2018-09-09 15:08:58 -06:00

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.

Languages

C 97%

Assembly 1%

Shell 0.6%

Rust 0.5%

Python 0.4%

Other 0.3%