Message ID | 20200925163008.39727-1-william.gray@canonical.com |
---|---|
Headers | show |
Series | rbd: require global CAP_SYS_ADMIN for mapping and unmapping | expand |
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
On 25/09/2020 17:30, William Breathitt Gray wrote: > SRU Justification > ================= > > [Impact] > > The rbd block device driver in drivers/block/rbd.c in the Linux kernel > through 5.8.9 used incomplete permission checking for access to rbd > devices, which could be leveraged by local attackers to map or unmap rbd > block devices, aka CID-f44d04e696fe. > > [Regression Potential] > > Regression potential is low. This fix simply checks if the proper > permission is held; the only users affected by this change will be those > who should not have access to rbd devices in the first place. > > [Miscellaneous] > > It's a simple cherry-pick for Focal and Bionic. The Xenial backport > consisted of just removing the changes for sysfs attributes that do not > exist in Xenial, and making minor context adjustments. > > Ilya Dryomov (1): > rbd: require global CAP_SYS_ADMIN for mapping and unmapping > > drivers/block/rbd.c | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > Looks good to me. Thanks William Acked-by: Colin Ian King <colin.king@canonical.com>
This patch was applied in the following patchset: Xenial update: v4.4.237 upstream stable release https://bugs.launchpad.net/bugs/1897602 Thanks! Ian On 2020-09-25 12:30:06 , William Breathitt Gray wrote: > SRU Justification > ================= > > [Impact] > > The rbd block device driver in drivers/block/rbd.c in the Linux kernel > through 5.8.9 used incomplete permission checking for access to rbd > devices, which could be leveraged by local attackers to map or unmap rbd > block devices, aka CID-f44d04e696fe. > > [Regression Potential] > > Regression potential is low. This fix simply checks if the proper > permission is held; the only users affected by this change will be those > who should not have access to rbd devices in the first place. > > [Miscellaneous] > > It's a simple cherry-pick for Focal and Bionic. The Xenial backport > consisted of just removing the changes for sysfs attributes that do not > exist in Xenial, and making minor context adjustments. > > Ilya Dryomov (1): > rbd: require global CAP_SYS_ADMIN for mapping and unmapping > > drivers/block/rbd.c | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > > -- > 2.25.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
This patch was applied in the following patchset: Bionic update: upstream stable patchset 2020-09-30 Ported from the following upstream stable releases: v4.14.199, v4.19.146 v4.19.147, https://bugs.launchpad.net/bugs/1897977 Thanks, Ian On 2020-09-25 12:30:06 , William Breathitt Gray wrote: > SRU Justification > ================= > > [Impact] > > The rbd block device driver in drivers/block/rbd.c in the Linux kernel > through 5.8.9 used incomplete permission checking for access to rbd > devices, which could be leveraged by local attackers to map or unmap rbd > block devices, aka CID-f44d04e696fe. > > [Regression Potential] > > Regression potential is low. This fix simply checks if the proper > permission is held; the only users affected by this change will be those > who should not have access to rbd devices in the first place. > > [Miscellaneous] > > It's a simple cherry-pick for Focal and Bionic. The Xenial backport > consisted of just removing the changes for sysfs attributes that do not > exist in Xenial, and making minor context adjustments. > > Ilya Dryomov (1): > rbd: require global CAP_SYS_ADMIN for mapping and unmapping > > drivers/block/rbd.c | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > > -- > 2.25.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team