Be a bit more anal about allowing SCSI commands to be sent.

Normal users shouldn't have access to the raw device anyway
unless they are in the trusted "disk" group, but let's require
RAWIO capabilities. That's what the original SCSI interfaces
did anyhoo.

We probably _should_ just require write access, but that will
need more of a code change to pass down the file descriptor.

diff --git a/drivers/block/scsi_ioctl.c b/drivers/block/scsi_ioctl.c
index 03df600806502a6562823efa6c68c1b4dd65e418..203422b763642bedcbaff62257521320ff0c05c6 100644 (file)
--- a/drivers/block/scsi_ioctl.c
+++ b/drivers/block/scsi_ioctl.c
@@ -115,6 +115,8 @@ static int sg_io(request_queue_t *q, struct gendisk *bd_disk,
        char sense[SCSI_SENSE_BUFFERSIZE];
        unsigned char cmd[BLK_MAX_CDB];
 
+       if (!capable(CAP_SYS_RAWIO))
+               return -EPERM;
        if (hdr->interface_id != 'S')
                return -EINVAL;
        if (hdr->cmd_len > BLK_MAX_CDB)
@@ -233,6 +235,8 @@ static int sg_scsi_ioctl(request_queue_t *q, struct gendisk *bd_disk,
        int err, in_len, out_len, bytes, opcode, cmdlen;
        char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
 
+       if (!capable(CAP_SYS_RAWIO))
+               return -EPERM;
        /*
         * get in an out lengths, verify they don't exceed a page worth of data
         */