[PATCH] RDMA/uverbs: Consider capability of the process that opens the file
Serge E. Hallyn
serge at hallyn.com
Sun Apr 27 14:30:58 UTC 2025
On Fri, Apr 25, 2025 at 03:35:29PM -0300, Jason Gunthorpe wrote:
> On Fri, Apr 25, 2025 at 12:34:21PM -0500, Eric W. Biederman wrote:
> > > What about something like CAP_SYS_RAWIO? I don't think we would ever
> > > make that a per-userns thing, but as a thought experiment, do we check
> > > current->XXX->user_ns or still check ibdev->netns->XX->user_ns?
> > >
> >
> > Oh. CAP_SYS_RAWIO is totally is something you can have. In fact
> > the first process in a user namespace starts out with CAP_SYS_RAWIO.
> > That said it is CAP_SYS_RAWIO with respect to the user namespace.
> >
> > What would be almost certainly be a bug is for any permission check
> > to be relaxed to ns_capable(resource->user_ns, CAP_SYS_RAWIO).
>
> So a process "has" it but the kernel never accepts it?
Capabilities are targeted at some resource. Sometimes the resource is
global, or always belongs to the initial user namespace. In the case
of rawio, if ever "device namespaces" became acceptable, then it could
in fact become namespaced for some resources.
-serge
More information about the Linux-security-module-archive
mailing list