xfs: only return detailed fsmap info if the caller has CAP_SYS_ADMIN

There were a number of handwaving complaints that one could "possibly"
use inode numbers and extent maps to fingerprint a filesystem hosting
multiple containers and somehow use the information to guess at the
contents of other containers and attack them.  Despite the total lack of
any demonstration that this is actually possible, it's easier to
restrict access now and broaden it later, so use the rmapbt fsmap
backends only if the caller has CAP_SYS_ADMIN.  Unprivileged users will
just have to make do with only getting the free space and static
metadata placement information.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>

diff --git a/fs/xfs/xfs_fsmap.c b/fs/xfs/xfs_fsmap.c
index 3683819887a5658eff23d6e3258d21567bbdc0b4..814ed729881d9a4305c3dd5646d75ef0f112b87b 100644 (file)
--- a/fs/xfs/xfs_fsmap.c
+++ b/fs/xfs/xfs_fsmap.c
@@ -828,6 +828,7 @@ xfs_getfsmap(
        struct xfs_fsmap                dkeys[2];       /* per-dev keys */
        struct xfs_getfsmap_dev         handlers[XFS_GETFSMAP_DEVS];
        struct xfs_getfsmap_info        info = { NULL };
+       bool                            use_rmap;
        int                             i;
        int                             error = 0;
 
@@ -837,12 +838,14 @@ xfs_getfsmap(
            !xfs_getfsmap_is_valid_device(mp, &head->fmh_keys[1]))
                return -EINVAL;
 
+       use_rmap = capable(CAP_SYS_ADMIN) &&
+                  xfs_sb_version_hasrmapbt(&mp->m_sb);
        head->fmh_entries = 0;
 
        /* Set up our device handlers. */
        memset(handlers, 0, sizeof(handlers));
        handlers[0].dev = new_encode_dev(mp->m_ddev_targp->bt_dev);
-       if (xfs_sb_version_hasrmapbt(&mp->m_sb))
+       if (use_rmap)
                handlers[0].fn = xfs_getfsmap_datadev_rmapbt;
        else
                handlers[0].fn = xfs_getfsmap_datadev_bnobt;