Be a bit more anal about allowing SCSI commands to be sent.

Normal users shouldn't have access to the raw device anyway unless they are in the trusted "disk" group, but let's require RAWIO capabilities. That's what the original SCSI interfaces did anyhoo. We probably _should_ just require write access, but that will need more of a code change to pass down the file descriptor.

Be a bit more anal about allowing SCSI commands to be sent.
Normal users shouldn't have access to the raw device anyway unless they are in the trusted "disk" group, but let's require RAWIO capabilities. That's what the original SCSI interfaces did anyhoo. We probably _should_ just require write access, but that will need more of a code change to pass down the file descriptor.
1dde9f57 · Linus Torvalds · 43d15eb2 · 1dde9f57
Commit 1dde9f57 authored Aug 11, 2004 by Linus Torvalds
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

drivers/block/scsi_ioctl.c drivers/block/scsi_ioctl.c +4 -0

No files found.
--- a/drivers/block/scsi_ioctl.c
+++ b/drivers/block/scsi_ioctl.c
@@ -115,6 +115,8 @@ static int sg_io(request_queue_t *q, struct gendisk *bd_disk,
 	char sense[SCSI_SENSE_BUFFERSIZE];
 	unsigned char cmd[BLK_MAX_CDB];

+	if (!capable(CAP_SYS_RAWIO))
+		return -EPERM;
 	if (hdr->interface_id != 'S')
 		return -EINVAL;
 	if (hdr->cmd_len > BLK_MAX_CDB)
@@ -233,6 +235,8 @@ static int sg_scsi_ioctl(request_queue_t *q, struct gendisk *bd_disk,
 	int err, in_len, out_len, bytes, opcode, cmdlen;
 	char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];

+	if (!capable(CAP_SYS_RAWIO))
+		return -EPERM;
 	/*
 	 * get in an out lengths, verify they don't exceed a page worth of data
 	 */