Some background: My team is working on a project that interacts very closely with SEV so we have a layer of code that wraps around the SEV ioctl calls. We have an automated test suite that ends up testing these ioctls on our test machine. We are in the process of adding this test machine as a dedicated test runner in our continuous integration process. Any time someone opens a pull request against our project, this test runner automatically checks that code out and executes the tests. Right now, the SEV ioctls that affect the state of the platform require CAP_SYS_ADMIN to run. This is not a capability we can give to an automated test runner, because it means that anyone who would like to contribute to the project would be able to run any code they want (for good or evil) as CAP_SYS_ADMIN on our machine. This patch replaces the check for CAP_SYS_ADMIN with a check that can still be easily controlled by an administrator with the file permissions ACL. This way access to the device can still be controlled, but without also assigning such broad system privileges at the same time. Connor Kuehl (1): crypto: ccp: use file mode for sev ioctl permissions drivers/crypto/ccp/sev-dev.c | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) -- 2.24.1