mds: When setting fscrypt attrs ensure client has ALL caps

Signed-off-by: Christopher Hoffman <choffman@redhat.com>

diff --git a/src/mds/Server.cc b/src/mds/Server.cc
index 0c43101a0a8e7e419015b808381aca0e30ec9372..56d55cc42d1c9f42194d4e2ab4a61b5650047d69 100644 (file)
--- a/src/mds/Server.cc
+++ b/src/mds/Server.cc
@@ -5648,6 +5648,12 @@ void Server::handle_client_setattr(const MDRequestRef& mdr)
     }
   }
 
+  bool allow_all = mdr->session->auth_caps.allow_all();
+  if (mask & (CEPH_SETATTR_FSCRYPT_FILE|CEPH_SETATTR_FSCRYPT_AUTH) && !allow_all) {
+    respond_to_request(mdr, -EACCES);
+    return;
+  }
+
   if (mask & CEPH_SETATTR_FSCRYPT_AUTH)
     pi.inode->fscrypt_auth.assign(req->fscrypt_auth.begin(), req->fscrypt_auth.end());
   if (mask & CEPH_SETATTR_FSCRYPT_FILE)