On 10/24/2023 12:37 PM, Christoph Hellwig wrote: > On Mon, Oct 23, 2023 at 09:18:36AM -0600, Keith Busch wrote: >> On Mon, Oct 23, 2023 at 07:44:56AM +0200, Christoph Hellwig wrote: >>> Yes, you need someone with root access to change the device node >>> persmissions. But we allowed that under the assumption it is safe >>> to do so, which it turns out it is not. >> >> Okay, iiuc, while we have to opt-in to allow this hole, we need another >> option for users to set to allow this usage because it's not safe. >> >> Here are two options I have considered for unpriveledged access, please >> let me know if you have others or thoughts. >> >> Restrict access for processes with CAP_SYS_RAWIO, which can be granted >> to non-root users. This cap is already used in scsi subsystem, too. > > Well, that's sensible in general. With that someone needs to make each binary (that wants to use passthrough) capability-aware by doing: setcap "CAP_SYS_RAWIO=ep" <binary> Seems extra work for admins (or distros if they need to ship the binary that way).
