fs: Restrict 'fs flushall' to root

Commands like 'fs flush' and 'fs flushvolume' require the caller to be
able to lookup the target file, but 'fs flushall' has no access checks
at all, and hasn't since it was introduced in commit 4197bbecd9
(libafs: fs flushall for unix cm). This allows unauthenticated users
to flush the cache of files/volumes they have no access to, and means
flushing the entire cache requires less access than flushing parts of
the cache, which doesn't make much sense.

Change the command to only be runnable by the local superuser root,
and document the restriction.

Change-Id: I906d6c02a16b49ae31ab8e644a8ffb85c4e3434d
Reviewed-on: https://gerrit.openafs.org/15393
Reviewed-by: Cheyenne Wills <cwills@sinenomine.net>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>

doc/man-pages/pod1/fs_flushall.pod

@@ -42,7 +42,7 @@ as follows:
 
 =head1 PRIVILEGE REQUIRED
 
-No special privileges are required for this command.
+The issuer must be logged in as the local superuser C<root>.
 
 =head1 SEE ALSO
 

src/afs/afs_pioctl.c

@@ -3680,6 +3680,7 @@ DECL_PIOCTL(PFlushVolumeData)
  *
  * \retval EINVAL	Error if some of the standard args aren't set
  * \retval EIO		Error if the afs daemon hasn't started yet
+ * \retval EACCES	Error if the user doesn't have super-user credentials
  *
  * \post
  * 	Flush all cached contents.  Exactly what stays and what
@@ -3697,6 +3698,9 @@ DECL_PIOCTL(PFlushAllVolumeData)
     if (!afs_resourceinit_flag)	/* afs daemons haven't started yet */
 	return EIO;		/* Inappropriate ioctl for device */
 
+    if (!afs_osi_suser(*acred))
+	return EACCES;
+
     return FlushVolumeData(NULL, *acred);
 }