On Sun, May 17, 2026 at 10:08:13PM -0700, Christoph Hellwig wrote:

On Fri, May 15, 2026 at 05:36:45PM +0000, Cyber_black wrote:

quoted

Option B) Add a capability check to ioctl_fiemap() to match FIBMAP.
This restores the intended restriction, at the cost of breaking
unprivileged use of FIEMAP (e.g. filefrag, btrfs tools, e2freefrag).
This option is a larger ABI impact and likely undesirable.

The preferred fix is Option A, since FIEMAP has been available
unprivileged since 2008 with no reported security issues, and read
access to physical block layout is already implicitly available
through open() permission on the file.

No, FIEMAP really should not be available unprivileged.  So I think B is
the right thing.  Can you send a proper patch with a proper signoff?

For anyone who might be relying on FIEMAP output to find sparse regions
-- don't.  FIEMAP is a lowlevel fs debugging interface; it won't tell
you about dirty pagecache backed by unwritten disk space.  cp was burned
by that a decade and a half ago.

--D