All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 0/1 RESEND] Allow non-root users to perform ZBC commands.
@ 2020-02-26 17:05 Ryan Attard
  2020-02-26 17:05 ` [PATCH 1/1 " Ryan Attard
  0 siblings, 1 reply; 5+ messages in thread
From: Ryan Attard @ 2020-02-26 17:05 UTC (permalink / raw)
  To: linux-scsi, linux-block
  Cc: ryanattard, axboe, dgilbert, jejb, martin.petersen

Resending since I missed some emails on the first:

The source of this issue is that a group is configured that allows a service
user to perform read and writes to a specific set of disks, and the permissions
on the sd device entries for a host managed device have permissions 0660, same
as the sg device entry. Operations succeed on the sg device (since there is
a different code path for handling those operations).

There was some hand wringing around adding CAP_SYS_RAWIO capabilities to that
user, since it includes things like /dev/mem access which was not desired or
required to perform disk write operations.

Example failure:
root@device_with_zbc_disks:~# su -s /bin/bash -c 'sg_rep_zones -vv /dev/sdh -m 128' USER_LOW_PERMS
open /dev/sdh with flags=0x802
    Report zones cdb: 95 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00
ioctl(SG_IO v3) failed: Operation not permitted (errno=1)
report zones: pass through os error: Operation not permitted
Report zones command: Sense category: -1
root@device_with_zbc_disks:~# su -s /bin/bash -c 'sg_rep_zones -vv /dev/sg7 -m 128' USER_LOW_PERMS
open /dev/sdh with flags=0x802
    Report zones cdb: 95 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00
zl_len available is 2624, response length is 128
Report zones response:
  Same=0: zone type and length may differ in each descriptor
<snip>


Example with patch:
root@device_with_zbc_disks:~# su -s /bin/bash -c 'sg_rep_zones -vv /dev/sdh -m 128' USER_LOW_PERMS
open /dev/sdh with flags=0x802
    Report zones cdb: 95 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00
zl_len available is 2624, response length is 128
Report zones response:
  Same=0: zone type and length may differ in each descriptor
<snip>


Thanks,

Ryan


^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH 1/1 RESEND] Allow non-root users to perform ZBC commands.
  2020-02-26 17:05 [PATCH 0/1 RESEND] Allow non-root users to perform ZBC commands Ryan Attard
@ 2020-02-26 17:05 ` Ryan Attard
  2020-03-11  3:10   ` Martin K. Petersen
  2020-03-12  3:15   ` Martin K. Petersen
  0 siblings, 2 replies; 5+ messages in thread
From: Ryan Attard @ 2020-02-26 17:05 UTC (permalink / raw)
  To: linux-scsi, linux-block
  Cc: ryanattard, axboe, dgilbert, jejb, martin.petersen

Allow users with read permissions to issue REPORT ZONE commands and
users with write permissions to manage zones on block devices supporting
the ZBC specification.

Signed-off-by: Ryan Attard <ryanattard@ryanattard.info>
---
 block/scsi_ioctl.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
index b4e73d5dd5c2..ef722f04f88a 100644
--- a/block/scsi_ioctl.c
+++ b/block/scsi_ioctl.c
@@ -193,6 +193,10 @@ static void blk_set_cmd_filter_defaults(struct blk_cmd_filter *filter)
 	__set_bit(GPCMD_LOAD_UNLOAD, filter->write_ok);
 	__set_bit(GPCMD_SET_STREAMING, filter->write_ok);
 	__set_bit(GPCMD_SET_READ_AHEAD, filter->write_ok);
+
+	/* ZBC Commands */
+	__set_bit(ZBC_OUT, filter->write_ok);
+	__set_bit(ZBC_IN, filter->read_ok);
 }
 
 int blk_verify_command(unsigned char *cmd, fmode_t mode)
-- 
2.24.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH 1/1 RESEND] Allow non-root users to perform ZBC commands.
  2020-02-26 17:05 ` [PATCH 1/1 " Ryan Attard
@ 2020-03-11  3:10   ` Martin K. Petersen
  2020-03-11  3:48     ` Damien Le Moal
  2020-03-12  3:15   ` Martin K. Petersen
  1 sibling, 1 reply; 5+ messages in thread
From: Martin K. Petersen @ 2020-03-11  3:10 UTC (permalink / raw)
  To: Damien Le Moal
  Cc: linux-scsi, linux-block, axboe, dgilbert, jejb, martin.petersen,
	Ryan Attard


Damien: Please opine.

> Allow users with read permissions to issue REPORT ZONE commands and
> users with write permissions to manage zones on block devices supporting
> the ZBC specification.
>
> Signed-off-by: Ryan Attard <ryanattard@ryanattard.info>
> ---
>  block/scsi_ioctl.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
> index b4e73d5dd5c2..ef722f04f88a 100644
> --- a/block/scsi_ioctl.c
> +++ b/block/scsi_ioctl.c
> @@ -193,6 +193,10 @@ static void blk_set_cmd_filter_defaults(struct blk_cmd_filter *filter)
>  	__set_bit(GPCMD_LOAD_UNLOAD, filter->write_ok);
>  	__set_bit(GPCMD_SET_STREAMING, filter->write_ok);
>  	__set_bit(GPCMD_SET_READ_AHEAD, filter->write_ok);
> +
> +	/* ZBC Commands */
> +	__set_bit(ZBC_OUT, filter->write_ok);
> +	__set_bit(ZBC_IN, filter->read_ok);
>  }
>  
>  int blk_verify_command(unsigned char *cmd, fmode_t mode)

-- 
Martin K. Petersen	Oracle Linux Engineering

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH 1/1 RESEND] Allow non-root users to perform ZBC commands.
  2020-03-11  3:10   ` Martin K. Petersen
@ 2020-03-11  3:48     ` Damien Le Moal
  0 siblings, 0 replies; 5+ messages in thread
From: Damien Le Moal @ 2020-03-11  3:48 UTC (permalink / raw)
  To: Martin K. Petersen
  Cc: linux-scsi, linux-block, axboe, dgilbert, jejb, Ryan Attard

On 2020/03/11 12:10, Martin K. Petersen wrote:
> 
> Damien: Please opine.

My apologies. This one slipped through the cracks...

>> Allow users with read permissions to issue REPORT ZONE commands and
>> users with write permissions to manage zones on block devices supporting
>> the ZBC specification.

I think this is fine for SG_IO ioctls since other SG_IO commands with an impact
on the device data (write) can be done without CAP_SYS_ADMIN as required by
block device file ioctl.

>>
>> Signed-off-by: Ryan Attard <ryanattard@ryanattard.info>

Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>

>> ---
>>  block/scsi_ioctl.c | 4 ++++
>>  1 file changed, 4 insertions(+)
>>
>> diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
>> index b4e73d5dd5c2..ef722f04f88a 100644
>> --- a/block/scsi_ioctl.c
>> +++ b/block/scsi_ioctl.c
>> @@ -193,6 +193,10 @@ static void blk_set_cmd_filter_defaults(struct blk_cmd_filter *filter)
>>  	__set_bit(GPCMD_LOAD_UNLOAD, filter->write_ok);
>>  	__set_bit(GPCMD_SET_STREAMING, filter->write_ok);
>>  	__set_bit(GPCMD_SET_READ_AHEAD, filter->write_ok);
>> +
>> +	/* ZBC Commands */
>> +	__set_bit(ZBC_OUT, filter->write_ok);
>> +	__set_bit(ZBC_IN, filter->read_ok);
>>  }
>>  
>>  int blk_verify_command(unsigned char *cmd, fmode_t mode)
> 


-- 
Damien Le Moal
Western Digital Research

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH 1/1 RESEND] Allow non-root users to perform ZBC commands.
  2020-02-26 17:05 ` [PATCH 1/1 " Ryan Attard
  2020-03-11  3:10   ` Martin K. Petersen
@ 2020-03-12  3:15   ` Martin K. Petersen
  1 sibling, 0 replies; 5+ messages in thread
From: Martin K. Petersen @ 2020-03-12  3:15 UTC (permalink / raw)
  To: Ryan Attard
  Cc: linux-scsi, linux-block, axboe, dgilbert, jejb, martin.petersen


Ryan,

> Allow users with read permissions to issue REPORT ZONE commands and
> users with write permissions to manage zones on block devices
> supporting the ZBC specification.

Applied to 5.7/scsi-queue, thanks!

-- 
Martin K. Petersen	Oracle Linux Engineering

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-03-12  3:18 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-26 17:05 [PATCH 0/1 RESEND] Allow non-root users to perform ZBC commands Ryan Attard
2020-02-26 17:05 ` [PATCH 1/1 " Ryan Attard
2020-03-11  3:10   ` Martin K. Petersen
2020-03-11  3:48     ` Damien Le Moal
2020-03-12  3:15   ` Martin K. Petersen

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.