* [PATCH 0/1 RESEND] Allow non-root users to perform ZBC commands.
@ 2020-02-26 17:05 Ryan Attard
2020-02-26 17:05 ` [PATCH 1/1 " Ryan Attard
0 siblings, 1 reply; 5+ messages in thread
From: Ryan Attard @ 2020-02-26 17:05 UTC (permalink / raw)
To: linux-scsi, linux-block
Cc: ryanattard, axboe, dgilbert, jejb, martin.petersen
Resending since I missed some emails on the first:
The source of this issue is that a group is configured that allows a service
user to perform read and writes to a specific set of disks, and the permissions
on the sd device entries for a host managed device have permissions 0660, same
as the sg device entry. Operations succeed on the sg device (since there is
a different code path for handling those operations).
There was some hand wringing around adding CAP_SYS_RAWIO capabilities to that
user, since it includes things like /dev/mem access which was not desired or
required to perform disk write operations.
Example failure:
root@device_with_zbc_disks:~# su -s /bin/bash -c 'sg_rep_zones -vv /dev/sdh -m 128' USER_LOW_PERMS
open /dev/sdh with flags=0x802
Report zones cdb: 95 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00
ioctl(SG_IO v3) failed: Operation not permitted (errno=1)
report zones: pass through os error: Operation not permitted
Report zones command: Sense category: -1
root@device_with_zbc_disks:~# su -s /bin/bash -c 'sg_rep_zones -vv /dev/sg7 -m 128' USER_LOW_PERMS
open /dev/sdh with flags=0x802
Report zones cdb: 95 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00
zl_len available is 2624, response length is 128
Report zones response:
Same=0: zone type and length may differ in each descriptor
<snip>
Example with patch:
root@device_with_zbc_disks:~# su -s /bin/bash -c 'sg_rep_zones -vv /dev/sdh -m 128' USER_LOW_PERMS
open /dev/sdh with flags=0x802
Report zones cdb: 95 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00
zl_len available is 2624, response length is 128
Report zones response:
Same=0: zone type and length may differ in each descriptor
<snip>
Thanks,
Ryan
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/1 RESEND] Allow non-root users to perform ZBC commands.
2020-02-26 17:05 [PATCH 0/1 RESEND] Allow non-root users to perform ZBC commands Ryan Attard
@ 2020-02-26 17:05 ` Ryan Attard
2020-03-11 3:10 ` Martin K. Petersen
2020-03-12 3:15 ` Martin K. Petersen
0 siblings, 2 replies; 5+ messages in thread
From: Ryan Attard @ 2020-02-26 17:05 UTC (permalink / raw)
To: linux-scsi, linux-block
Cc: ryanattard, axboe, dgilbert, jejb, martin.petersen
Allow users with read permissions to issue REPORT ZONE commands and
users with write permissions to manage zones on block devices supporting
the ZBC specification.
Signed-off-by: Ryan Attard <ryanattard@ryanattard.info>
---
block/scsi_ioctl.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
index b4e73d5dd5c2..ef722f04f88a 100644
--- a/block/scsi_ioctl.c
+++ b/block/scsi_ioctl.c
@@ -193,6 +193,10 @@ static void blk_set_cmd_filter_defaults(struct blk_cmd_filter *filter)
__set_bit(GPCMD_LOAD_UNLOAD, filter->write_ok);
__set_bit(GPCMD_SET_STREAMING, filter->write_ok);
__set_bit(GPCMD_SET_READ_AHEAD, filter->write_ok);
+
+ /* ZBC Commands */
+ __set_bit(ZBC_OUT, filter->write_ok);
+ __set_bit(ZBC_IN, filter->read_ok);
}
int blk_verify_command(unsigned char *cmd, fmode_t mode)
--
2.24.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/1 RESEND] Allow non-root users to perform ZBC commands.
2020-02-26 17:05 ` [PATCH 1/1 " Ryan Attard
@ 2020-03-11 3:10 ` Martin K. Petersen
2020-03-11 3:48 ` Damien Le Moal
2020-03-12 3:15 ` Martin K. Petersen
1 sibling, 1 reply; 5+ messages in thread
From: Martin K. Petersen @ 2020-03-11 3:10 UTC (permalink / raw)
To: Damien Le Moal
Cc: linux-scsi, linux-block, axboe, dgilbert, jejb, martin.petersen,
Ryan Attard
Damien: Please opine.
> Allow users with read permissions to issue REPORT ZONE commands and
> users with write permissions to manage zones on block devices supporting
> the ZBC specification.
>
> Signed-off-by: Ryan Attard <ryanattard@ryanattard.info>
> ---
> block/scsi_ioctl.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
> index b4e73d5dd5c2..ef722f04f88a 100644
> --- a/block/scsi_ioctl.c
> +++ b/block/scsi_ioctl.c
> @@ -193,6 +193,10 @@ static void blk_set_cmd_filter_defaults(struct blk_cmd_filter *filter)
> __set_bit(GPCMD_LOAD_UNLOAD, filter->write_ok);
> __set_bit(GPCMD_SET_STREAMING, filter->write_ok);
> __set_bit(GPCMD_SET_READ_AHEAD, filter->write_ok);
> +
> + /* ZBC Commands */
> + __set_bit(ZBC_OUT, filter->write_ok);
> + __set_bit(ZBC_IN, filter->read_ok);
> }
>
> int blk_verify_command(unsigned char *cmd, fmode_t mode)
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/1 RESEND] Allow non-root users to perform ZBC commands.
2020-03-11 3:10 ` Martin K. Petersen
@ 2020-03-11 3:48 ` Damien Le Moal
0 siblings, 0 replies; 5+ messages in thread
From: Damien Le Moal @ 2020-03-11 3:48 UTC (permalink / raw)
To: Martin K. Petersen
Cc: linux-scsi, linux-block, axboe, dgilbert, jejb, Ryan Attard
On 2020/03/11 12:10, Martin K. Petersen wrote:
>
> Damien: Please opine.
My apologies. This one slipped through the cracks...
>> Allow users with read permissions to issue REPORT ZONE commands and
>> users with write permissions to manage zones on block devices supporting
>> the ZBC specification.
I think this is fine for SG_IO ioctls since other SG_IO commands with an impact
on the device data (write) can be done without CAP_SYS_ADMIN as required by
block device file ioctl.
>>
>> Signed-off-by: Ryan Attard <ryanattard@ryanattard.info>
Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
>> ---
>> block/scsi_ioctl.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
>> index b4e73d5dd5c2..ef722f04f88a 100644
>> --- a/block/scsi_ioctl.c
>> +++ b/block/scsi_ioctl.c
>> @@ -193,6 +193,10 @@ static void blk_set_cmd_filter_defaults(struct blk_cmd_filter *filter)
>> __set_bit(GPCMD_LOAD_UNLOAD, filter->write_ok);
>> __set_bit(GPCMD_SET_STREAMING, filter->write_ok);
>> __set_bit(GPCMD_SET_READ_AHEAD, filter->write_ok);
>> +
>> + /* ZBC Commands */
>> + __set_bit(ZBC_OUT, filter->write_ok);
>> + __set_bit(ZBC_IN, filter->read_ok);
>> }
>>
>> int blk_verify_command(unsigned char *cmd, fmode_t mode)
>
--
Damien Le Moal
Western Digital Research
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 1/1 RESEND] Allow non-root users to perform ZBC commands.
2020-02-26 17:05 ` [PATCH 1/1 " Ryan Attard
2020-03-11 3:10 ` Martin K. Petersen
@ 2020-03-12 3:15 ` Martin K. Petersen
1 sibling, 0 replies; 5+ messages in thread
From: Martin K. Petersen @ 2020-03-12 3:15 UTC (permalink / raw)
To: Ryan Attard
Cc: linux-scsi, linux-block, axboe, dgilbert, jejb, martin.petersen
Ryan,
> Allow users with read permissions to issue REPORT ZONE commands and
> users with write permissions to manage zones on block devices
> supporting the ZBC specification.
Applied to 5.7/scsi-queue, thanks!
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-03-12 3:18 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-26 17:05 [PATCH 0/1 RESEND] Allow non-root users to perform ZBC commands Ryan Attard
2020-02-26 17:05 ` [PATCH 1/1 " Ryan Attard
2020-03-11 3:10 ` Martin K. Petersen
2020-03-11 3:48 ` Damien Le Moal
2020-03-12 3:15 ` Martin K. Petersen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.