On 2021/06/03 18:54, David Sterba wrote: > On Mon, May 31, 2021 at 01:54:53PM +0000, Niklas Cassel wrote: >> From: Niklas Cassel <niklas.cassel@xxxxxxx> >> >> Performing a BLKREPORTZONE operation should be allowed under the same >> permissions as read(). (read() does not require CAP_SYS_ADMIN). >> >> Remove the CAP_SYS_ADMIN requirement, and instead check that the fd was >> successfully opened with FMODE_READ. This way BLKREPORTZONE will match >> the access control requirement of read(). > > Does this mean that a process that does not have read nor write access > to the device itself (blocks) is capable of reading the zone > information? Eg. some monitoring tool. With this change, to do a report zones, the process will only need to have read access to the device. And if it has read access, it also means that it can read the zones content. -- Damien Le Moal Western Digital Research
