[PATCH 0/2] capability: Introduce CAP_BLOCK_ADMIN
Christoph Hellwig
hch at infradead.org
Tue May 23 06:18:46 UTC 2023
On Thu, May 11, 2023 at 03:05:18PM +0800, Tianjia Zhang wrote:
> Separated fine-grained capability CAP_BLOCK_ADMIN from CAP_SYS_ADMIN.
> For backward compatibility, the CAP_BLOCK_ADMIN capability is included
> within CAP_SYS_ADMIN.
Splitting out capabilities tends to massivel break userspace. Don't
do it.
> CAP_SYS_ADMIN is required in the PR protocol implementation of existing
> block devices in the Linux kernel, which has too many sensitive
> permissions, which may lead to risks such as container escape. The
> kernel needs to provide more fine-grained permission management like
> CAP_NET_ADMIN to avoid online products directly relying on root to run.
I'm pretty sure the PR API can be keyed off just permissions on the
block device node as nothing in it is fundamentally unsafe.
Please work on relaxing the permissions checks there.
More information about the Linux-security-module-archive
mailing list