I wonder if a better way of adding SG_IO command filtering is via
eBPF? We are currently carrying a inside Google a patch which allows
a specific of SCSI commands to non-root processes --- if the process
belonged to a particular Unix group id.
It's pretty specific to our use case, in terms of the specific SCSI
commands we want to allow through. I can imagine people wanting
different filters based on the type of the SCSI device, or a HDD's
WWID, not just a group id. For example, this might be useful for
people wanting to do crazy things with containers --- maybe you'd
want to allow container root to send a SANITIZE ERASE command to one
of its exclusively assigned disks, but not to other HDD's.
So having something that's more general than a flat file in sysfs
might be preferable to resurrecting an interface which we would then
after to support forever, even if we come up with a more general
interface.
- Ted
