From patchwork Fri Dec 22 14:32:25 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dongsu Park X-Patchwork-Id: 852392 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=65.50.211.133; helo=bombadil.infradead.org; envelope-from=linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="iGRmD0aH"; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=kinvolk.io header.i=@kinvolk.io header.b="my4DoSx3"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3z3B370N6jz9s7B for ; Sat, 23 Dec 2017 01:38:59 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:References: In-Reply-To:Message-Id:Date:Subject:To:From:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=6Tgid51Z/eB4/M2frAbdDbV0fBSqQsgKGMZfnFc7NTs=; b=iGRmD0aHXfTQ/SP173cBIkRqDL Jc7KLaH1IY39y6F3LdskgSjZPsPsGW5YqLk1k4osc/nXopqhc4MQuKyFPNfsedNZJqyCLADI5P5o6 qZX+KGPYgDOiVaV5CIoy38Sl41nv8sYcvsiWAcOAbOSmof9loGjsLi+ctzzh1B8W20VaOj97Gega9 1Vyc+3yUFS9mt6ziN4CCABHjTUvj30GWzDugfEpWffY5vm/ZiZsTdoNtK2OnEFEw2rx3HGdUGfXUv luEKtSv44gPV/YqEz4sreDA9xChhdywYJo4faSDuMfSrL0pil9Avquhc+Kgy4h1bgkIrnhNjdo4dm r7hy3cyA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1eSOTH-0002EE-Sf; Fri, 22 Dec 2017 14:38:47 +0000 Received: from mail-wm0-x242.google.com ([2a00:1450:400c:c09::242]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1eSOTD-0002DQ-Fv for linux-mtd@lists.infradead.org; Fri, 22 Dec 2017 14:38:45 +0000 Received: by mail-wm0-x242.google.com with SMTP id g130so24810366wme.0 for ; Fri, 22 Dec 2017 06:38:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kinvolk.io; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=FNSzFXGikfu8amUdbf3FJn42Sn8luezqRn651XLyPHM=; b=my4DoSx3xgLAh/24yR5Sfx1GpyCyaRhujwi9Sr492pnoVXcUWAiQAQJ8SWZLaLOl2m qGTeSKMRM8h6iU0miqHrvl47SxfLEYAYtUR5vmuX4tW5shhl3Wstnk4V+yQl1fjO0sNT RYGR3bTMiksU7X2Jk4SDxcEf6b975/3yfP08c= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=FNSzFXGikfu8amUdbf3FJn42Sn8luezqRn651XLyPHM=; b=ZOwG4sn4t4nqUvl6E4hUu9GPSb3lxeWKlAJiD37kAd/8XqJYyyKmlGwIUzN20q453k z0dRF7mhggNXjlAXM/XFIV3jAnoAakggjGd/tOdEXKGdR4o7UXo1SEg2+xTpUpvj53BV rnrvuO0TJa17zUGgOZtLQMcyoAo4sXFoQJH5PVvPthodl5UokxlYjEuHIc9CE9TCvRH9 tVA6mTY6+Z5JWGIV4mjFoXWWxlNXUq2eWVscSOfYJ1h/XxHMAX9VKIlghnB3F71r+bF6 8R233AzdwUyrRc5V1IdU6XctyXUroSUSl6eqdMwY9CuZ7bno4CRKaIcU55+/xvTyVlKC RxBQ== X-Gm-Message-State: AKGB3mK7HKcYem23TIZ33oP6jQnIjAUh7/ePuBoKK/QqMVZEHa10mpx3 c5b7lDUefK6oiBhhK3Mec2Gsnw== X-Google-Smtp-Source: ACJfBosZG4H2bBWcYGkpqMnaQNrA4bJKggiafrZyMv2iRlqi6FC3+w1oZ6ge4YMcGoaLzE8lUIdvig== X-Received: by 10.80.149.210 with SMTP id x18mr14748161eda.4.1513953080692; Fri, 22 Dec 2017 06:31:20 -0800 (PST) Received: from dberlin.localdomain ([178.19.216.175]) by smtp.gmail.com with ESMTPSA id j39sm19698065ede.38.2017.12.22.06.31.19 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 22 Dec 2017 06:31:20 -0800 (PST) From: Dongsu Park To: linux-kernel@vger.kernel.org Subject: [PATCH 01/11] block_dev: Support checking inode permissions in lookup_bdev() Date: Fri, 22 Dec 2017 15:32:25 +0100 Message-Id: X-Mailer: git-send-email 2.13.6 In-Reply-To: References: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20171222_063843_590772_356A7C09 X-CRM114-Status: GOOD ( 13.49 ) X-Spam-Score: -2.0 (--) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-2.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2a00:1450:400c:c09:0:0:0:242 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Miklos Szeredi , Dongsu Park , containers@lists.linux-foundation.org, linux-bcache@vger.kernel.org, Seth Forshee , dm-devel@redhat.com, Alban Crequy , "Eric W . Biederman" , linux-mtd@lists.infradead.org, Jan Kara , Sargun Dhillon , linux-fsdevel@vger.kernel.org, Serge Hallyn , Alexander Viro MIME-Version: 1.0 Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Seth Forshee When looking up a block device by path no permission check is done to verify that the user has access to the block device inode at the specified path. In some cases it may be necessary to check permissions towards the inode, such as allowing unprivileged users to mount block devices in user namespaces. Add an argument to lookup_bdev() to optionally perform this permission check. A value of 0 skips the permission check and behaves the same as before. A non-zero value specifies the mask of access rights required towards the inode at the specified path. The check is always skipped if the user has CAP_SYS_ADMIN. All callers of lookup_bdev() currently pass a mask of 0, so this patch results in no functional change. Subsequent patches will add permission checks where appropriate. Patch v4 is available: https://patchwork.kernel.org/patch/8943601/ Cc: dm-devel@redhat.com Cc: linux-bcache@vger.kernel.org Cc: linux-fsdevel@vger.kernel.org Cc: linux-mtd@lists.infradead.org Cc: linux-kernel@vger.kernel.org Cc: Alexander Viro Cc: Jan Kara Cc: Serge Hallyn Signed-off-by: Seth Forshee Signed-off-by: Dongsu Park Acked-by: Serge Hallyn --- drivers/md/bcache/super.c | 2 +- drivers/md/dm-table.c | 2 +- drivers/mtd/mtdsuper.c | 2 +- fs/block_dev.c | 13 ++++++++++--- fs/quota/quota.c | 2 +- include/linux/fs.h | 2 +- 6 files changed, 15 insertions(+), 8 deletions(-) diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c index b4d28928..acc9d56c 100644 --- a/drivers/md/bcache/super.c +++ b/drivers/md/bcache/super.c @@ -1967,7 +1967,7 @@ static ssize_t register_bcache(struct kobject *k, struct kobj_attribute *attr, sb); if (IS_ERR(bdev)) { if (bdev == ERR_PTR(-EBUSY)) { - bdev = lookup_bdev(strim(path)); + bdev = lookup_bdev(strim(path), 0); mutex_lock(&bch_register_lock); if (!IS_ERR(bdev) && bch_is_open(bdev)) err = "device already registered"; diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c index 88130b5d..bca5eaf4 100644 --- a/drivers/md/dm-table.c +++ b/drivers/md/dm-table.c @@ -410,7 +410,7 @@ dev_t dm_get_dev_t(const char *path) dev_t dev; struct block_device *bdev; - bdev = lookup_bdev(path); + bdev = lookup_bdev(path, 0); if (IS_ERR(bdev)) dev = name_to_dev_t(path); else { diff --git a/drivers/mtd/mtdsuper.c b/drivers/mtd/mtdsuper.c index e43fea89..4a4d40c0 100644 --- a/drivers/mtd/mtdsuper.c +++ b/drivers/mtd/mtdsuper.c @@ -180,7 +180,7 @@ struct dentry *mount_mtd(struct file_system_type *fs_type, int flags, /* try the old way - the hack where we allowed users to mount * /dev/mtdblock$(n) but didn't actually _use_ the blockdev */ - bdev = lookup_bdev(dev_name); + bdev = lookup_bdev(dev_name, 0); if (IS_ERR(bdev)) { ret = PTR_ERR(bdev); pr_debug("MTDSB: lookup_bdev() returned %d\n", ret); diff --git a/fs/block_dev.c b/fs/block_dev.c index 4a181fcb..5ca06095 100644 --- a/fs/block_dev.c +++ b/fs/block_dev.c @@ -1662,7 +1662,7 @@ struct block_device *blkdev_get_by_path(const char *path, fmode_t mode, struct block_device *bdev; int err; - bdev = lookup_bdev(path); + bdev = lookup_bdev(path, 0); if (IS_ERR(bdev)) return bdev; @@ -2052,12 +2052,14 @@ EXPORT_SYMBOL(ioctl_by_bdev); /** * lookup_bdev - lookup a struct block_device by name * @pathname: special file representing the block device + * @mask: rights to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC) * * Get a reference to the blockdevice at @pathname in the current * namespace if possible and return it. Return ERR_PTR(error) - * otherwise. + * otherwise. If @mask is non-zero, check for access rights to the + * inode at @pathname. */ -struct block_device *lookup_bdev(const char *pathname) +struct block_device *lookup_bdev(const char *pathname, int mask) { struct block_device *bdev; struct inode *inode; @@ -2072,6 +2074,11 @@ struct block_device *lookup_bdev(const char *pathname) return ERR_PTR(error); inode = d_backing_inode(path.dentry); + if (mask != 0 && !capable(CAP_SYS_ADMIN)) { + error = __inode_permission(inode, mask); + if (error) + goto fail; + } error = -ENOTBLK; if (!S_ISBLK(inode->i_mode)) goto fail; diff --git a/fs/quota/quota.c b/fs/quota/quota.c index 43612e2a..e5d47955 100644 --- a/fs/quota/quota.c +++ b/fs/quota/quota.c @@ -807,7 +807,7 @@ static struct super_block *quotactl_block(const char __user *special, int cmd) if (IS_ERR(tmp)) return ERR_CAST(tmp); - bdev = lookup_bdev(tmp->name); + bdev = lookup_bdev(tmp->name, 0); putname(tmp); if (IS_ERR(bdev)) return ERR_CAST(bdev); diff --git a/include/linux/fs.h b/include/linux/fs.h index 2995a271..fce19c49 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -2551,7 +2551,7 @@ static inline void unregister_chrdev(unsigned int major, const char *name) #define BLKDEV_MAJOR_MAX 512 extern const char *__bdevname(dev_t, char *buffer); extern const char *bdevname(struct block_device *bdev, char *buffer); -extern struct block_device *lookup_bdev(const char *); +extern struct block_device *lookup_bdev(const char *, int mask); extern void blkdev_show(struct seq_file *,off_t); #else From patchwork Fri Dec 22 14:32:26 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dongsu Park X-Patchwork-Id: 852391 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=65.50.211.133; helo=bombadil.infradead.org; envelope-from=linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="s/brpZbY"; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=kinvolk.io header.i=@kinvolk.io header.b="ml6psiVd"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3z3B1P2TZ6z9ryr for ; Sat, 23 Dec 2017 01:37:29 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:References: In-Reply-To:Message-Id:Date:Subject:To:From:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=3y+ALcsSddrE7WWkBBRkxgF507fxV3FvhGK0icDS4gA=; b=s/brpZbY96TXvdYuW0py94Su9b JwFef61AmNEhGP/jgVwKtkZOysHCILphvkghy8fAU4x78wqSlDGggeuD7VsJ1yHYv+3tu6EMxQFaZ I0wbeoW29KyTcxNiKOD8FwcBUYmnZXY74nY4AlfCTaoq2EkjR2ByUHElQ5hY3Cdyn5pFUdQ/XJ7Oy 9Usih67oAYGIvloihDc8aMuHOs4bFUiORG529PUdbSHpLNjDtx1Stqc7Y3LeS5SsCl2sVJlSj4XNk wRiRnds1Ar5Pt1TX6JJgUAc11242P6h3TODDUCEsteqhF7ZzmEluMJOVPZxsQq2udb8GgvRItUIPF NksflEcQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1eSORi-0001rk-GD; Fri, 22 Dec 2017 14:37:10 +0000 Received: from mail-wm0-x242.google.com ([2a00:1450:400c:c09::242]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1eSORf-0001qg-8q for linux-mtd@lists.infradead.org; Fri, 22 Dec 2017 14:37:09 +0000 Received: by mail-wm0-x242.google.com with SMTP id f9so22138713wmh.0 for ; Fri, 22 Dec 2017 06:36:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kinvolk.io; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=jQWBmZtWbWE5llMZ8sm0pdy19YY9HfHMhjMWFD6cEI4=; b=ml6psiVdta6+BOz+3uX2NxIaY0CtnE85j6t6/q2Pv6fEyDs7r7orvmIH6khIuiVTCc eZxXppLv49hoC38itpqCQYTTaiOIFzFwO8SKMD0JtSPg9FSvC88Jm7mNc4QwCdHGVM3k +yvIx7ZJdu2l06kDgLrM+96dsJIbV+NQ2fHl8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=jQWBmZtWbWE5llMZ8sm0pdy19YY9HfHMhjMWFD6cEI4=; b=oHetcNRK0shHptkiJ6d4sYvc+Qiwfq9wttqsDQcXGlUa+fENLV9RVDwg+On+Qfuin1 I6BHRhko1AMH4ICJGtjPt4kPWhJxVmpkk4/wJSAuxKjKXLZ2iYNRg1mJ+/FgChc3Js1/ DbRadSOKjw5ERBMd14lcjTG2r0CkelPNT0ge0Su/gS9pgLgKv9mZ+xQEc6BflALTOCrm DWdoNtW6DX8BiDiIVOWrFES9mRSQWe4MxhVf6i0Zf1/pwKvgYIUm4PbSIMJJVPi1kGGY 2qiBJiJUVlHiOxwe6wWU/9eu0JukkEnrrD8HAUmwiU/wcZF+4fQj28DfZdgvYSQSM2Tm vShA== X-Gm-Message-State: AKGB3mKzs73CUb6qAyOhWWWRiw8yFKtXj0+547GIEf8otZv28Bm7R8L3 3wPVFtoCk4OCbbVQOY8XRZt7fQ== X-Google-Smtp-Source: ACJfBovFLr59SYUTmfr2tIhA2FOh1dK6QVOmPBBE4lxausRebxvYNUX8rbI9iEZb6yoesdRvB+QlDA== X-Received: by 10.80.145.195 with SMTP id h3mr15821445eda.240.1513953081702; Fri, 22 Dec 2017 06:31:21 -0800 (PST) Received: from dberlin.localdomain ([178.19.216.175]) by smtp.gmail.com with ESMTPSA id j39sm19698065ede.38.2017.12.22.06.31.20 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 22 Dec 2017 06:31:21 -0800 (PST) From: Dongsu Park To: linux-kernel@vger.kernel.org Subject: [PATCH 02/11] mtd: Check permissions towards mtd block device inode when mounting Date: Fri, 22 Dec 2017 15:32:26 +0100 Message-Id: <945d325a2239efcd55273abb2bac41cfc7264fea.1512041070.git.dongsu@kinvolk.io> X-Mailer: git-send-email 2.13.6 In-Reply-To: References: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20171222_063707_316470_AF882192 X-CRM114-Status: UNSURE ( 8.95 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -2.0 (--) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-2.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2a00:1450:400c:c09:0:0:0:242 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-BeenThere: linux-mtd@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Linux MTD discussion mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Miklos Szeredi , Dongsu Park , containers@lists.linux-foundation.org, Seth Forshee , Alban Crequy , "Eric W . Biederman" , Sargun Dhillon , linux-mtd@lists.infradead.org MIME-Version: 1.0 Sender: "linux-mtd" Errors-To: linux-mtd-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From: Seth Forshee Unprivileged users should not be able to mount mtd block devices when they lack sufficient privileges towards the block device inode. Update mount_mtd() to validate that the user has the required access to the inode at the specified path. The check will be skipped for CAP_SYS_ADMIN, so privileged mounts will continue working as before. Patch v3 is available: https://patchwork.kernel.org/patch/7640011/ Cc: linux-mtd@lists.infradead.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Seth Forshee Signed-off-by: Dongsu Park Acked-by: Serge Hallyn --- drivers/mtd/mtdsuper.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/mtd/mtdsuper.c b/drivers/mtd/mtdsuper.c index 4a4d40c0..3c8734f3 100644 --- a/drivers/mtd/mtdsuper.c +++ b/drivers/mtd/mtdsuper.c @@ -129,6 +129,7 @@ struct dentry *mount_mtd(struct file_system_type *fs_type, int flags, #ifdef CONFIG_BLOCK struct block_device *bdev; int ret, major; + int perm; #endif int mtdnr; @@ -180,7 +181,10 @@ struct dentry *mount_mtd(struct file_system_type *fs_type, int flags, /* try the old way - the hack where we allowed users to mount * /dev/mtdblock$(n) but didn't actually _use_ the blockdev */ - bdev = lookup_bdev(dev_name, 0); + perm = MAY_READ; + if (!(flags & MS_RDONLY)) + perm |= MAY_WRITE; + bdev = lookup_bdev(dev_name, perm); if (IS_ERR(bdev)) { ret = PTR_ERR(bdev); pr_debug("MTDSB: lookup_bdev() returned %d\n", ret);