From patchwork Fri Sep 25 16:30:08 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: William Breathitt Gray X-Patchwork-Id: 1371443 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Bycrn20s2z9sRf; Sat, 26 Sep 2020 02:32:25 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1kLqdx-0005eb-6n; Fri, 25 Sep 2020 16:32:21 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kLqdv-0005eE-Db for kernel-team@lists.ubuntu.com; Fri, 25 Sep 2020 16:32:19 +0000 Received: from mail-qv1-f70.google.com ([209.85.219.70]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kLqdv-00053F-44 for kernel-team@lists.ubuntu.com; Fri, 25 Sep 2020 16:32:19 +0000 Received: by mail-qv1-f70.google.com with SMTP id a13so2029997qvl.6 for ; Fri, 25 Sep 2020 09:32:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=S6CbW7mRVVRdrrUGFq/XfUSP26pzLnGIP4StE/4LAhA=; b=Nqinay/+ZRIeaT+4qW7qpb/cgml8ZXAyGhUtPNqgVowDCSxROVS8nTP3NW70ru463R 3zPx+AVURYVI8V2aq+fFlWMVdD0+vXjiKM3NYBbQMQQ3N0bajtJ+1WcV8sfErExbbVS0 3SJMJgb0+RskuqebdWv0za02l9H7zzvT43kf32Ul6Ly65CHPPO7y+l+gILa31UGHiPe9 /gMX8TCtKIWJv2QOmno4ABCbhYA4kkXMy2Y4rhdb2gYmpF+H+FjXmzlIy1z6V3K1v5cf 2zZhldL/KehFNIJ65sWM31inlFVrNTf3VrOVshzqNzdhIbYbmRnGlze3uVfc+fscPffY 4Fsg== X-Gm-Message-State: AOAM531WF0y9atrJgmiD9R8ImB1j/FYBTyKy3Wz0S2iSv//86uAEx+Dn FUjI25PEtKZNmkPrO1wSgxY6NJFmjJnNsQgqLIYbZwNH0GYLaMzD3xi7Z7+9S6BQkSA+hhUQXxL Gyj7dYiuIrYk/2/De+4OzhxoH1L6Bp5PtqZ+qcvtAGA== X-Received: by 2002:a0c:a085:: with SMTP id c5mr276807qva.30.1601051537576; Fri, 25 Sep 2020 09:32:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwhHudYVKJmWs51yMgvl1x44ZEo9EtyT95HCcgsfM5MPR7cNMLvvxVPwySltoW5S1ljMhJYgw== X-Received: by 2002:a0c:a085:: with SMTP id c5mr276787qva.30.1601051537356; Fri, 25 Sep 2020 09:32:17 -0700 (PDT) Received: from localhost.localdomain (072-189-064-225.res.spectrum.com. [72.189.64.225]) by smtp.gmail.com with ESMTPSA id 25sm2061927qks.41.2020.09.25.09.32.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Sep 2020 09:32:16 -0700 (PDT) From: William Breathitt Gray To: kernel-team@lists.ubuntu.com Subject: [SRU][X][CVE-2020-25284][PATCH v2 1/1] rbd: require global CAP_SYS_ADMIN for mapping and unmapping Date: Fri, 25 Sep 2020 12:30:08 -0400 Message-Id: <20200925163008.39727-3-william.gray@canonical.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200925163008.39727-1-william.gray@canonical.com> References: <20200925163008.39727-1-william.gray@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Ilya Dryomov It turns out that currently we rely only on sysfs attribute permissions: $ ll /sys/bus/rbd/{add*,remove*} --w------- 1 root root 4096 Sep 3 20:37 /sys/bus/rbd/add --w------- 1 root root 4096 Sep 3 20:37 /sys/bus/rbd/add_single_major --w------- 1 root root 4096 Sep 3 20:37 /sys/bus/rbd/remove --w------- 1 root root 4096 Sep 3 20:38 /sys/bus/rbd/remove_single_major This means that images can be mapped and unmapped (i.e. block devices can be created and deleted) by a UID 0 process even after it drops all privileges or by any process with CAP_DAC_OVERRIDE in its user namespace as long as UID 0 is mapped into that user namespace. Be consistent with other virtual block devices (loop, nbd, dm, md, etc) and require CAP_SYS_ADMIN in the initial user namespace for mapping and unmapping, and also for dumping the configuration string and refreshing the image header. Cc: stable@vger.kernel.org Signed-off-by: Ilya Dryomov Reviewed-by: Jeff Layton CVE-2020-25284 (backported from commit f44d04e696feaf13d192d942c4f14ad2e117065a) [ vilhelmgray: Remove changes for sysfs attr that does not exist ] [ vilhelmgray: Context adjustments ] Signed-off-by: William Breathitt Gray --- Changes in v2: - Add missing code for do_rbd_add and do_rbd_remove drivers/block/rbd.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c index 995d9c432744..c66033b6b67f 100644 --- a/drivers/block/rbd.c +++ b/drivers/block/rbd.c @@ -3945,6 +3945,9 @@ static ssize_t rbd_image_refresh(struct device *dev, struct rbd_device *rbd_dev = dev_to_rbd_dev(dev); int ret; + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + ret = rbd_dev_refresh(rbd_dev); if (ret) return ret; @@ -5404,6 +5407,9 @@ static ssize_t do_rbd_add(struct bus_type *bus, bool read_only; int rc; + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + if (!try_module_get(THIS_MODULE)) return -ENODEV; @@ -5548,6 +5554,9 @@ static ssize_t do_rbd_remove(struct bus_type *bus, bool already = false; int ret; + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + ret = kstrtoul(buf, 10, &ul); if (ret) return ret;