]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b89769f)
net: psp: require admin permission for dev-set and key-rotate
authorJakub Kicinski <kuba@kernel.org>
Mon, 27 Apr 2026 19:58:56 +0000 (12:58 -0700)
committerJakub Kicinski <kuba@kernel.org>
Wed, 29 Apr 2026 00:44:20 +0000 (17:44 -0700)
The dev-set and key-rotate netlink operations modify shared device
state (PSP version configuration and cryptographic key material,
respectively) but do not require CAP_NET_ADMIN. The only access
control is psp_dev_check_access() which merely verifies netns
membership.

Fixes: 00c94ca2b99e ("psp: base PSP device support")
Reviewed-by: Daniel Zahka <daniel.zahka@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20260427195856.401223-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Documentation/netlink/specs/psp.yaml patch | blob | blame | history
net/psp/psp-nl-gen.c patch | blob | blame | history

diff --git a/Documentation/netlink/specs/psp.yaml b/Documentation/netlink/specs/psp.yaml
index 100c36cda8e5d4f35225c3723ced21bbb12c9aed..bfcd6e4ecb850ee5a2439cacc0ce7832687e11ce 100644 (file)
--- a/Documentation/netlink/specs/psp.yaml
+++ b/Documentation/netlink/specs/psp.yaml
@@ -188,6 +188,7 @@ operations:
       name: dev-set
       doc: Set the configuration of a PSP device.
       attribute-set: dev
+      flags: [admin-perm]
       do:
         request:
           attributes:
@@ -207,6 +208,7 @@ operations:
       name: key-rotate
       doc: Rotate the device key.
       attribute-set: dev
+      flags: [admin-perm]
       do:
         request:
           attributes:
diff --git a/net/psp/psp-nl-gen.c b/net/psp/psp-nl-gen.c
index 22a48d0fa378c9b80d9c76b4cbc0557fa85163bc..953309952cef75c8b4c14f69d3f941200ee46935 100644 (file)
--- a/net/psp/psp-nl-gen.c
+++ b/net/psp/psp-nl-gen.c
@@ -76,7 +76,7 @@ static const struct genl_split_ops psp_nl_ops[] = {
                .post_doit      = psp_device_unlock,
                .policy         = psp_dev_set_nl_policy,
                .maxattr        = PSP_A_DEV_PSP_VERSIONS_ENA,
-               .flags          = GENL_CMD_CAP_DO,
+               .flags          = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
        },
        {
                .cmd            = PSP_CMD_KEY_ROTATE,
@@ -85,7 +85,7 @@ static const struct genl_split_ops psp_nl_ops[] = {
                .post_doit      = psp_device_unlock,
                .policy         = psp_key_rotate_nl_policy,
                .maxattr        = PSP_A_DEV_ID,
-               .flags          = GENL_CMD_CAP_DO,
+               .flags          = GENL_ADMIN_PERM | GENL_CMD_CAP_DO,
        },
        {
                .cmd            = PSP_CMD_RX_ASSOC,
A mirror of Linus' kernel repository