[PATCH 1/2] misc: nsm: require CAP_SYS_ADMIN for raw ioctl

Next message: Vu Nguyen Anh Khoa: "[PATCH 2/2] misc: nsm: do not unlock mutex before locking it"
Previous message: Zenghui Yu: "[PATCH] params: fix path of /sys/module/XYZ/parameters/ in comment"
Next in thread: Vu Nguyen Anh Khoa: "[PATCH 2/2] misc: nsm: do not unlock mutex before locking it"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Vu Nguyen Anh Khoa

Date: Sun Jun 21 2026 - 05:02:46 EST

NSM_IOCTL_RAW lets userspace submit raw NSM messages. The UAPI
documents this ioctl as available only with CAP_SYS_ADMIN, but /dev/nsm
is registered with mode 0666 and nsm_dev_ioctl() does not enforce that
restriction.

Reject unprivileged raw ioctl requests before accepting user-controlled
NSM messages.

Signed-off-by: Vu Nguyen Anh Khoa <khoavna.tin.2225@xxxxxxxxx>
---
drivers/misc/nsm.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/drivers/misc/nsm.c b/drivers/misc/nsm.c
index ef7b32742..52790df7d 100644
--- a/drivers/misc/nsm.c
+++ b/drivers/misc/nsm.c
@@ -9,6 +9,7 @@
* space can use to issue these commands.
*/

+#include <linux/capability.h>
#include <linux/file.h>
#include <linux/fs.h>
#include <linux/interrupt.h>
@@ -361,6 +362,9 @@ static long nsm_dev_ioctl(struct file *file, unsigned int cmd,
if (cmd != NSM_IOCTL_RAW)
return -EINVAL;

+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
if (_IOC_SIZE(cmd) != sizeof(raw))
return -EINVAL;

--
2.43.0