xfs
[Top] [All Lists]

[PATCH 6/6] ioctl eofblocks: require non-privileged users to specify uid

To: Dave Chinner <david@xxxxxxxxxxxxx>
Subject: [PATCH 6/6] ioctl eofblocks: require non-privileged users to specify uid/gid match
From: Dwight Engen <dwight.engen@xxxxxxxxxx>
Date: Fri, 28 Jun 2013 11:11:38 -0400
Cc: "Eric W. Biederman" <ebiederm@xxxxxxxxx>, xfs@xxxxxxxxxxx, Serge Hallyn <serge.hallyn@xxxxxxxxxx>, Brian Foster <bfoster@xxxxxxxxxx>
Delivered-to: xfs@xxxxxxxxxxx
In-reply-to: <20130626020924.GD29376@dastard>
Organization: Oracle Corporation
References: <20130619110948.0bfafa2b@xxxxxxxxxx> <20130620001341.GM29338@dastard> <20130620095410.1917d235@xxxxxxxxxx> <20130620220311.GT29376@dastard> <20130621111420.5592707e@xxxxxxxxxx> <20130624003316.GH29376@dastard> <20130624091035.6274800f@xxxxxxxxxx> <20130626020924.GD29376@dastard>
Signed-off-by: Dwight Engen <dwight.engen@xxxxxxxxxx>
---
 fs/xfs/xfs_ioctl.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index 487dca5..123314e 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -1655,6 +1655,23 @@ xfs_file_ioctl(
                if (error)
                        return -XFS_ERROR(error);
 
+               /* non-privileged users should not be able to trim blocks on
+                * objects they cannot write to, so require them to specify
+                * either their own uid, or a group they are a member of
+                */
+               if (!capable(CAP_SYS_ADMIN)) {
+                       if (!(eofb.eof_flags & (XFS_EOF_FLAGS_UID | 
XFS_EOF_FLAGS_GID)))
+                               return -XFS_ERROR(EPERM);
+
+                       if ((eofb.eof_flags & XFS_EOF_FLAGS_UID) &&
+                           !uid_eq(current_fsuid(), keofb.eof_uid))
+                               return -XFS_ERROR(EPERM);
+
+                       if ((eofb.eof_flags & XFS_EOF_FLAGS_GID) &&
+                           !in_group_p(keofb.eof_gid))
+                               return -XFS_ERROR(EPERM);
+               }
+
                error = xfs_icache_free_eofblocks(mp, &keofb);
                return -error;
        }
-- 
1.8.1.4

<Prev in Thread] Current Thread [Next in Thread>