Hi, On 27.01.23 13:34, Nikolay Borisov wrote:
Instead of duplicating CAP_SYS_ADMIN check for every block-cbt ioctl apart from BLKCBTGET simply factor out the check in the beginning of blk_cbt_ioctl.Signed-off-by: Nikolay Borisov <nikolay.bori...@virtuozzo.com> --- block/blk-cbt.c | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/block/blk-cbt.c b/block/blk-cbt.c index e2a9be83ac0d..269709c7589b 100644 --- a/block/blk-cbt.c +++ b/block/blk-cbt.c @@ -992,32 +992,21 @@ int blk_cbt_ioctl(struct block_device *bdev, unsigned cmd, char __user *arg) { struct blk_user_cbt_info __user *ucbt_ioc = (struct blk_user_cbt_info __user *) arg;+ if (cmd != BLKCBTGET && !capable(CAP_SYS_ADMIN))+ return -EACCES; + switch(cmd) { case BLKCBTSTART: - if (!capable(CAP_SYS_ADMIN)) - return -EACCES; return cbt_ioc_init(bdev, ucbt_ioc); case BLKCBTSTOP: - if (!capable(CAP_SYS_ADMIN)) - return -EACCES; - return cbt_ioc_stop(bdev); case BLKCBTGET: return cbt_ioc_get(bdev, ucbt_ioc); case BLKCBTSET: - if (!capable(CAP_SYS_ADMIN)) - return -EACCES; - return cbt_ioc_set(bdev, ucbt_ioc, 1); case BLKCBTCLR: - if (!capable(CAP_SYS_ADMIN)) - return -EACCES; - return cbt_ioc_set(bdev, ucbt_ioc, 0); case BLKCBTMISC: - if (!capable(CAP_SYS_ADMIN)) - return -EACCES; - return cbt_ioc_misc(bdev, arg); default: BUG();
LGTM - BLKCBTGET is the only exception to the admin check and it is handled.
-- Regards, Alexander Atanasov _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel
