bcachefs: Enforce SYS_CAP_ADMIN within ioctls

bch2_fs_ioctl() didn't distinguish between unsupported ioctls and those which the current user is unauthorised to perform. That kept the code simple but meant that, for example, an unprivileged TIOCGWINSZ ioctl on a bcachefs file would return -EPERM instead of the expected -ENOTTY. The same call made by a privileged user would correctly return -ENOTTY. Fix this discrepancy by moving the check for CAP_SYS_ADMIN into each privileged ioctl function. Signed-off-by: Tobias Geerinckx-Rice <me@tobias.gr> Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>

bcachefs: Enforce SYS_CAP_ADMIN within ioctls
bch2_fs_ioctl() didn't distinguish between unsupported ioctls and those which the current user is unauthorised to perform. That kept the code simple but meant that, for example, an unprivileged TIOCGWINSZ ioctl on a bcachefs file would return -EPERM instead of the expected -ENOTTY. The same call made by a privileged user would correctly return -ENOTTY. Fix this discrepancy by moving the check for CAP_SYS_ADMIN into each privileged ioctl function. Signed-off-by: Tobias Geerinckx-Rice <me@tobias.gr> Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
a515d0a5 · Tobias Geerinckx-Rice · Kent Overstreet · 508b1f71 · a515d0a5
Commit a515d0a5 authored Jul 04, 2021 by Tobias Geerinckx-Rice Committed by Kent Overstreet Oct 22, 2023
Show whitespace changes
Inline Side-by-side

Showing with 36 additions and 8 deletions

fs/bcachefs/chardev.c fs/bcachefs/chardev.c +36 -8

No files found.
--- a/fs/bcachefs/chardev.c
+++ b/fs/bcachefs/chardev.c
@@ -157,6 +157,9 @@ static long bch2_ioctl_query_uuid(struct bch_fs *c,
 #if 0
 static long bch2_ioctl_start(struct bch_fs *c, struct bch_ioctl_start arg)
 {
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	if (arg.flags || arg.pad)
 		return -EINVAL;
@@ -165,6 +168,9 @@ static long bch2_ioctl_start(struct bch_fs *c, struct bch_ioctl_start arg)
 static long bch2_ioctl_stop(struct bch_fs *c)
 {
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	bch2_fs_stop(c);
 	return 0;
 }
@@ -175,6 +181,9 @@ static long bch2_ioctl_disk_add(struct bch_fs *c, struct bch_ioctl_disk arg)
 	char *path;
 	int ret;
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	if (arg.flags || arg.pad)
 		return -EINVAL;
@@ -192,6 +201,9 @@ static long bch2_ioctl_disk_remove(struct bch_fs *c, struct bch_ioctl_disk arg)
 {
 	struct bch_dev *ca;
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	if ((arg.flags & ~(BCH_FORCE_IF_DATA_LOST|
 			   BCH_FORCE_IF_METADATA_LOST|
 			   BCH_FORCE_IF_DEGRADED|
@@ -211,6 +223,9 @@ static long bch2_ioctl_disk_online(struct bch_fs *c, struct bch_ioctl_disk arg)
 	char *path;
 	int ret;
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	if (arg.flags || arg.pad)
 		return -EINVAL;
@@ -228,6 +243,9 @@ static long bch2_ioctl_disk_offline(struct bch_fs *c, struct bch_ioctl_disk arg)
 	struct bch_dev *ca;
 	int ret;
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	if ((arg.flags & ~(BCH_FORCE_IF_DATA_LOST|
 			   BCH_FORCE_IF_METADATA_LOST|
 			   BCH_FORCE_IF_DEGRADED|
@@ -250,6 +268,9 @@ static long bch2_ioctl_disk_set_state(struct bch_fs *c,
 	struct bch_dev *ca;
 	int ret;
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	if ((arg.flags & ~(BCH_FORCE_IF_DATA_LOST|
 			   BCH_FORCE_IF_METADATA_LOST|
 			   BCH_FORCE_IF_DEGRADED|
@@ -331,6 +352,9 @@ static long bch2_ioctl_data(struct bch_fs *c,
 	unsigned flags = O_RDONLY|O_CLOEXEC|O_NONBLOCK;
 	int ret, fd = -1;
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	if (arg.op >= BCH_DATA_OP_NR || arg.flags)
 		return -EINVAL;
@@ -497,6 +521,9 @@ static long bch2_ioctl_read_super(struct bch_fs *c,
 	struct bch_sb *sb;
 	int ret = 0;
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	if ((arg.flags & ~(BCH_BY_INDEX|BCH_READ_DEV)) ||
 	    arg.pad)
 		return -EINVAL;
@@ -537,6 +564,9 @@ static long bch2_ioctl_disk_get_idx(struct bch_fs *c,
 	struct bch_dev *ca;
 	unsigned i;
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	for_each_online_member(ca, c, i)
 		if (ca->disk_sb.bdev->bd_dev == dev) {
 			percpu_ref_put(&ca->io_ref);
@@ -552,6 +582,9 @@ static long bch2_ioctl_disk_resize(struct bch_fs *c,
 	struct bch_dev *ca;
 	int ret;
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	if ((arg.flags & ~BCH_BY_INDEX) ||
 	    arg.pad)
 		return -EINVAL;
@@ -572,6 +605,9 @@ static long bch2_ioctl_disk_resize_journal(struct bch_fs *c,
 	struct bch_dev *ca;
 	int ret;
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	if ((arg.flags & ~BCH_BY_INDEX) ||
 	    arg.pad)
 		return -EINVAL;
@@ -597,7 +633,6 @@ do {									\
 long bch2_fs_ioctl(struct bch_fs *c, unsigned cmd, void __user *arg)
 {
-	/* ioctls that don't require admin cap: */
 	switch (cmd) {
 	case BCH_IOCTL_QUERY_UUID:
 		return bch2_ioctl_query_uuid(c, arg);
@@ -605,12 +640,6 @@ long bch2_fs_ioctl(struct bch_fs *c, unsigned cmd, void __user *arg)
 		return bch2_ioctl_fs_usage(c, arg);
 	case BCH_IOCTL_DEV_USAGE:
 		return bch2_ioctl_dev_usage(c, arg);
-	}
-	if (!capable(CAP_SYS_ADMIN))
-		return -EPERM;
-	switch (cmd) {
 #if 0
 	case BCH_IOCTL_START:
 		BCH_IOCTL(start, struct bch_ioctl_start);
@@ -626,7 +655,6 @@ long bch2_fs_ioctl(struct bch_fs *c, unsigned cmd, void __user *arg)
 	if (!test_bit(BCH_FS_STARTED, &c->flags))
 		return -EINVAL;
-	/* ioctls that do require admin cap: */
 	switch (cmd) {
 	case BCH_IOCTL_DISK_ADD:
 		BCH_IOCTL(disk_add, struct bch_ioctl_disk);