drbd: Work on permission enforcement

Now we have the capabilities of the sending process available,
use them to enforce CAP_SYS_ADMIN.

Signed-off-by: Philipp Reisner <philipp.reisner@linbit.com>
Signed-off-by: Jens Axboe <jens.axboe@oracle.com>

diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
index 73c55ccb629aa13489f71833473018a42df51f13..22538d9628f11dfeb57dced35cde611f97783bb0 100644 (file)
--- a/drivers/block/drbd/drbd_nl.c
+++ b/drivers/block/drbd/drbd_nl.c
@@ -2000,7 +2000,7 @@ static struct cn_handler_struct cnd_table[] = {
        [ P_new_c_uuid ]        = { &drbd_nl_new_c_uuid,        0 },
 };
 
-static void drbd_connector_callback(struct cn_msg *req)
+static void drbd_connector_callback(struct cn_msg *req, struct netlink_skb_parms *nsp)
 {
        struct drbd_nl_cfg_req *nlp = (struct drbd_nl_cfg_req *)req->data;
        struct cn_handler_struct *cm;
@@ -2017,6 +2017,11 @@ static void drbd_connector_callback(struct cn_msg *req)
                return;
        }
 
+       if (!cap_raised(nsp->eff_cap, CAP_SYS_ADMIN)) {
+               retcode = ERR_PERM;
+               goto fail;
+       }
+
        mdev = ensure_mdev(nlp);
        if (!mdev) {
                retcode = ERR_MINOR_INVALID;

diff --git a/include/linux/drbd.h b/include/linux/drbd.h
index 69dc711f37b3d220fe689dfaf117a5aeaaf6e996..233db5c18b86f69a8144346eb805252b0268540b 100644 (file)
--- a/include/linux/drbd.h
+++ b/include/linux/drbd.h
@@ -138,6 +138,7 @@ enum drbd_ret_codes {
        ERR_VERIFY_RUNNING      = 149, /* DRBD 8.2 only */
        ERR_DATA_NOT_CURRENT    = 150,
        ERR_CONNECTED           = 151, /* DRBD 8.3 only */
+       ERR_PERM                = 152,
 
        /* insert new ones above this line */
        AFTER_LAST_ERR_CODE