[Devel] [PATCH 2/4] blk-cbt: Factor out common capability check

Konstantin Khorenko khorenko at virtuozzo.com
Tue Feb 21 21:19:09 MSK 2023


On 27.01.2023 12:34, Nikolay Borisov wrote:
> Instead of duplicating CAP_SYS_ADMIN check for every block-cbt ioctl
> apart from BLKCBTGET simply factor out the check in the beginning of
> blk_cbt_ioctl.
> 
> Signed-off-by: Nikolay Borisov <nikolay.borisov at virtuozzo.com>
> ---
>   block/blk-cbt.c | 17 +++--------------
>   1 file changed, 3 insertions(+), 14 deletions(-)
> 
> diff --git a/block/blk-cbt.c b/block/blk-cbt.c
> index e2a9be83ac0d..269709c7589b 100644
> --- a/block/blk-cbt.c
> +++ b/block/blk-cbt.c
> @@ -992,32 +992,21 @@ int blk_cbt_ioctl(struct block_device *bdev, unsigned cmd, char __user *arg)
>   {
>   	struct blk_user_cbt_info __user *ucbt_ioc = (struct blk_user_cbt_info __user *) arg;
>   
> +	if (cmd != BLKCBTGET && !capable(CAP_SYS_ADMIN))
> +		return -EACCES;
> +

BTW, this changes the behavior a bit.
In case the cmd provided is unknown previously we hit BUG() in any case,
and now we get -EACCES in case !capable(CAP_SYS_ADMIN).

Though i don't think this is a show stopper for this patch.

>   	switch(cmd) {
>   	case BLKCBTSTART:
> -		if (!capable(CAP_SYS_ADMIN))
> -			return -EACCES;
>   		return cbt_ioc_init(bdev, ucbt_ioc);
>   	case BLKCBTSTOP:
> -		if (!capable(CAP_SYS_ADMIN))
> -			return -EACCES;
> -
>   		return cbt_ioc_stop(bdev);
>   	case BLKCBTGET:
>   		return cbt_ioc_get(bdev, ucbt_ioc);
>   	case BLKCBTSET:
> -		if (!capable(CAP_SYS_ADMIN))
> -			return -EACCES;
> -
>   		return cbt_ioc_set(bdev, ucbt_ioc, 1);
>   	case BLKCBTCLR:
> -		if (!capable(CAP_SYS_ADMIN))
> -			return -EACCES;
> -
>   		return cbt_ioc_set(bdev, ucbt_ioc, 0);
>   	case BLKCBTMISC:
> -		if (!capable(CAP_SYS_ADMIN))
> -			return -EACCES;
> -
>   		return cbt_ioc_misc(bdev, arg);
>   	default:
>   		BUG();


More information about the Devel mailing list