I wonder if a better way of adding SG_IO command filtering is via eBPF? We are currently carrying a inside Google a patch which allows a specific of SCSI commands to non-root processes --- if the process belonged to a particular Unix group id. It's pretty specific to our use case, in terms of the specific SCSI commands we want to allow through. I can imagine people wanting different filters based on the type of the SCSI device, or a HDD's WWID, not just a group id. For example, this might be useful for people wanting to do crazy things with containers --- maybe you'd want to allow container root to send a SANITIZE ERASE command to one of its exclusively assigned disks, but not to other HDD's. So having something that's more general than a flat file in sysfs might be preferable to resurrecting an interface which we would then after to support forever, even if we come up with a more general interface. - Ted
