On 10/24/2023 12:37 PM, Christoph Hellwig wrote:
On Mon, Oct 23, 2023 at 09:18:36AM -0600, Keith Busch wrote:
On Mon, Oct 23, 2023 at 07:44:56AM +0200, Christoph Hellwig wrote:
Yes, you need someone with root access to change the device node persmissions. But we allowed that under the assumption it is safe to do so, which it turns out it is not.
Okay, iiuc, while we have to opt-in to allow this hole, we need another option for users to set to allow this usage because it's not safe.
Here are two options I have considered for unpriveledged access, please let me know if you have others or thoughts.
Restrict access for processes with CAP_SYS_RAWIO, which can be granted to non-root users. This cap is already used in scsi subsystem, too.
Well, that's sensible in general.
With that someone needs to make each binary (that wants to use passthrough) capability-aware by doing:
setcap "CAP_SYS_RAWIO=ep" <binary>
Seems extra work for admins (or distros if they need to ship the binary that way).