Re: [PATCH 1/2] misc: nsm: require CAP_SYS_ADMIN for raw ioctl
From: Graf (AWS), Alexander
Date: Thu Jun 25 2026 - 18:23:49 EST
On 21.06.26 11:33, Alexander Graf wrote:
>
> On 21.06.26 10:57, Vu Nguyen Anh Khoa wrote:
>> NSM_IOCTL_RAW lets userspace submit raw NSM messages. The UAPI
>> documents this ioctl as available only with CAP_SYS_ADMIN, but /dev/nsm
>> is registered with mode 0666 and nsm_dev_ioctl() does not enforce that
>> restriction.
>>
>> Reject unprivileged raw ioctl requests before accepting user-controlled
>> NSM messages.
>>
>> Signed-off-by: Vu Nguyen Anh Khoa <khoavna.tin.2225@xxxxxxxxx>
>
>
> This must have fallen through the cracks when I juggled with the
> different versions during initial submission. Nice catch!
>
> Reviewed-by: Alexander Graf <graf@xxxxxxxxxx>
>
Actually, thinking a bit harder about it, I think this may break legit
use cases if you for example want to pass NSM access to a deprivileged
container namespace.
Greg, please drop this patch. It will break existing user space.
Vu, can you please instead patch the uapi header so it doesn't say "only
CAP_ADMIN"? That was a remnant of when the device had individual ioctls
for each command you could invoke, which turned out too ugly to pull
into the kernel. When reverting back to the "raw only" interface we have
today, I forgot to remove the CAP_ADMIN note.
Alex
Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597