From: Allen Pais <apais@xxxxxxxxxxxxxxxxxxx> Access to pci config space is explictly checked with CAP_SYS_ADMIN in order to read configuration space past the frist 64B. Since the path is only for reading, could we use CAP_SYS_RAWIO? This patch contains a simpler fix, I would love to hear from the Maintainers on the approach. The other approach that I considered was to introduce and API which would check for multiple capabilities, something similar to perfmon_capable()/bpf_capable(). But I could not find more users for the API and hence dropped it. The problem I am trying to solve is to avoid handing out CAP_SYS_ADMIN for extended reads of the PCI config space. Signed-off-by: Allen Pais <allen.pais@xxxxxxxx> --- drivers/pci/pci-sysfs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c index 6d78df981d41..6574c0203475 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -666,7 +666,8 @@ static ssize_t pci_read_config(struct file *filp, struct kobject *kobj, u8 *data = (u8 *) buf; /* Several chips lock up trying to read undefined config space */ - if (file_ns_capable(filp, &init_user_ns, CAP_SYS_ADMIN)) + if (file_ns_capable(filp, &init_user_ns, CAP_SYS_ADMIN) || + file_ns_capable(filp, &init_user_ns, CAP_SYS_RAWIO)) size = dev->cfg_size; else if (dev->hdr_type == PCI_HEADER_TYPE_CARDBUS) size = 128; -- 2.25.1
