Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
net: psp: require admin permission for dev-set and key-rotate
The dev-set and key-rotate netlink operations modify shared device
state (PSP version configuration and cryptographic key material,
respectively) but do not require CAP_NET_ADMIN. The only access
control is psp_dev_check_access() which merely verifies netns
membership.
Fixes: 00c94ca2b99e ("psp: base PSP device support")
Reviewed-by: Daniel Zahka <daniel.zahka@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260427195856.401223-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+4
-2
+2
Documentation/netlink/specs/psp.yaml
+2
Documentation/netlink/specs/psp.yaml
···
188
188
name: dev-set
189
189
doc: Set the configuration of a PSP device.
190
190
attribute-set: dev
191
+
flags: [admin-perm]
191
192
do:
192
193
request:
193
194
attributes:
···
208
207
name: key-rotate
209
208
doc: Rotate the device key.
210
209
attribute-set: dev
210
+
flags: [admin-perm]
211
211
do:
212
212
request:
213
213
attributes:
+2
-2
net/psp/psp-nl-gen.c
+2
-2
net/psp/psp-nl-gen.c
···
76
76
.post_doit = psp_device_unlock,
77
77
.policy = psp_dev_set_nl_policy,
78
78
.maxattr = PSP_A_DEV_PSP_VERSIONS_ENA,
79
-
.flags = GENL_CMD_CAP_DO,
79
+
.flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
80
80
},
81
81
{
82
82
.cmd = PSP_CMD_KEY_ROTATE,
···
85
85
.post_doit = psp_device_unlock,
86
86
.policy = psp_key_rotate_nl_policy,
87
87
.maxattr = PSP_A_DEV_ID,
88
-
.flags = GENL_CMD_CAP_DO,
88
+
.flags = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
89
89
},
90
90
{
91
91
.cmd = PSP_CMD_RX_ASSOC,