From: Christopher Hoffman <choffman@redhat.com>
Date: Mon, 29 Sep 2025 13:14:01 +0000 (+0000)
Subject: mds: When setting fscrypt attrs ensure client has ALL caps
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=0ad0a52f6327f4b5945ef26ae3983c5770d5ab82;p=ceph.git

mds: When setting fscrypt attrs ensure client has ALL caps

Signed-off-by: Christopher Hoffman <choffman@redhat.com>
---

diff --git a/src/mds/Server.cc b/src/mds/Server.cc
index 0c43101a0a8..56d55cc42d1 100644
--- a/src/mds/Server.cc
+++ b/src/mds/Server.cc
@@ -5648,6 +5648,12 @@ void Server::handle_client_setattr(const MDRequestRef& mdr)
     }
   }
 
+  bool allow_all = mdr->session->auth_caps.allow_all();
+  if (mask & (CEPH_SETATTR_FSCRYPT_FILE|CEPH_SETATTR_FSCRYPT_AUTH) && !allow_all) {
+    respond_to_request(mdr, -EACCES);
+    return;
+  }
+
   if (mask & CEPH_SETATTR_FSCRYPT_AUTH)
     pi.inode->fscrypt_auth.assign(req->fscrypt_auth.begin(), req->fscrypt_auth.end());
   if (mask & CEPH_SETATTR_FSCRYPT_FILE)