On Fri, Jun 09, 2023 at 06:21:22PM +0800, Jingbo Xu wrote: > When the shared storage is accessed from containers [1], it's not > recommended to grant CAP_SYS_ADMIN to containers for access to > Persistent Reservations in risk of container escape. > > Remove the extra CAP_SYS_ADMIN permission constraint for Persistent > Reservations ioctl which shall do no harm [2]. I think we still to check that if CAP_SYS_ADMIN is not present, the file descriptors needs to be open for write, and we're not called on a partition (the latter should probbaly be always checked, as a reservation for a partitions doesn't make sense). But in general I think relaxing this is a good idea, we just need to be very careful. Looking at the discussion of unprivileged nvme command passthrough might be a good start.
