On Fri, Mar 06, 2020 at 09:20:10AM -0800, Connor Kuehl wrote: > Instead of using CAP_SYS_ADMIN which is restricted to the root user, > check the file mode for write permissions before executing commands that > can affect the platform. This allows for more fine-grained access > control to the SEV ioctl interface. This would allow a SEV-only user > or group the ability to administer the platform without requiring them > to be root or granting them overly powerful permissions. > > For example: > > chown root:root /dev/sev > chmod 600 /dev/sev > setfacl -m g:sev:r /dev/sev > setfacl -m g:sev-admin:rw /dev/sev > > In this instance, members of the "sev-admin" group have the ability to > perform all ioctl calls (including the ones that modify platform state). > Members of the "sev" group only have access to the ioctls that do not > modify the platform state. > > This also makes opening "/dev/sev" more consistent with how file > descriptors are usually handled. By only checking for CAP_SYS_ADMIN, > the file descriptor could be opened read-only but could still execute > ioctls that modify the platform state. This patch enforces that the file > descriptor is opened with write privileges if it is going to be used to > modify the platform state. > > This flexibility is completely opt-in, and if it is not desirable by > the administrator then they do not need to give anyone else access to > /dev/sev. > > Signed-off-by: Connor Kuehl <ckuehl@xxxxxxxxxx> > --- > drivers/crypto/ccp/sev-dev.c | 33 +++++++++++++++++---------------- > 1 file changed, 17 insertions(+), 16 deletions(-) Patch applied. Thanks. -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
