On Mon, Jun 14, 2021 at 12:23:21PM +0000, Niklas Cassel wrote:
> From: Niklas Cassel <niklas.cassel@xxxxxxx>
>
> A user space process should not need the CAP_SYS_ADMIN capability set
> in order to perform a BLKREPORTZONE ioctl.
>
> Getting the zone report is required in order to get the write pointer.
> Neither read() nor write() requires CAP_SYS_ADMIN, so it is reasonable
> that a user space process that can read/write from/to the device, also
> can get the write pointer. (Since e.g. writes have to be at the write
> pointer.)
>
> Fixes: 3ed05a987e0f ("blk-zoned: implement ioctls")
> Signed-off-by: Niklas Cassel <niklas.cassel@xxxxxxx>
> Cc: stable@xxxxxxxxxxxxxxx # v4.10+
> ---
> Changes since v2:
> -Drop the FMODE_READ check. Right now it is possible to open() the device with
> O_WRONLY and get the zone report from that fd. Therefore adding a FMODE_READ
> check on BLKREPORTZONE would break existing applications. Instead, just remove
> the existing CAP_SYS_ADMIN check.
>
> block/blk-zoned.c | 3 ---
> 1 file changed, 3 deletions(-)
>
> diff --git a/block/blk-zoned.c b/block/blk-zoned.c
> index 0789e6e9f7db..457eceabed2e 100644
> --- a/block/blk-zoned.c
> +++ b/block/blk-zoned.c
> @@ -288,9 +288,6 @@ int blkdev_report_zones_ioctl(struct block_device *bdev, fmode_t mode,
> if (!blk_queue_is_zoned(q))
> return -ENOTTY;
>
> - if (!capable(CAP_SYS_ADMIN))
> - return -EACCES;
> -
> if (copy_from_user(&rep, argp, sizeof(struct blk_zone_report)))
> return -EFAULT;
>
> --
> 2.31.1
LGTM
Reviewed-by: Adam Manzanares <a.manzanares@xxxxxxxxxxx>
