From 0ad0a52f6327f4b5945ef26ae3983c5770d5ab82 Mon Sep 17 00:00:00 2001
From: Christopher Hoffman <choffman@redhat.com>
Date: Mon, 29 Sep 2025 13:14:01 +0000
Subject: [PATCH] mds: When setting fscrypt attrs ensure client has ALL caps

Signed-off-by: Christopher Hoffman <choffman@redhat.com>
---
 src/mds/Server.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/mds/Server.cc b/src/mds/Server.cc
index 0c43101a0a8..56d55cc42d1 100644
--- a/src/mds/Server.cc
+++ b/src/mds/Server.cc
@@ -5648,6 +5648,12 @@ void Server::handle_client_setattr(const MDRequestRef& mdr)
     }
   }
 
+  bool allow_all = mdr->session->auth_caps.allow_all();
+  if (mask & (CEPH_SETATTR_FSCRYPT_FILE|CEPH_SETATTR_FSCRYPT_AUTH) && !allow_all) {
+    respond_to_request(mdr, -EACCES);
+    return;
+  }
+
   if (mask & CEPH_SETATTR_FSCRYPT_AUTH)
     pi.inode->fscrypt_auth.assign(req->fscrypt_auth.begin(), req->fscrypt_auth.end());
   if (mask & CEPH_SETATTR_FSCRYPT_FILE)
-- 
2.47.3