diff mbox

fs/sync.c : Add CAP_SYS_ADMIN checking before sync

Message ID 552FA066.3010905@huawei.com (mailing list archive)
State New, archived
Headers show

Commit Message

Wuqixuan April 16, 2015, 11:43 a.m. UTC
The process, supposed in one container, can't flush the metadata
and data of the all host's partitions without CAP_SYS_ADMIN
capability, like sys_mount is doing. The checking will prevent some
vicious programs impacting IO sequnces of those partitions,
particularly, the ones which can't be accessed in the container.

Signed-off-by: Last Wu <wuqixuan@huawei.com>
---
fs/sync.c | 3 +++
1 file changed, 3 insertions(+)

--
1.9.1


--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Azat Khuzhin April 16, 2015, 3:08 p.m. UTC | #1
On Thu, Apr 16, 2015 at 07:43:34PM +0800, Wuqixuan wrote:
> The process, supposed in one container, can't flush the metadata
> and data of the all host's partitions without CAP_SYS_ADMIN
> capability, like sys_mount is doing. The checking will prevent some
> vicious programs impacting IO sequnces of those partitions,
> particularly, the ones which can't be accessed in the container.
> 
> Signed-off-by: Last Wu <wuqixuan@huawei.com>
> ---
> fs/sync.c | 3 +++
> 1 file changed, 3 insertions(+)
> 
> diff --git a/fs/sync.c b/fs/sync.c
> index fbc98ee..9f07909 100644
> --- a/fs/sync.c
> +++ b/fs/sync.c
> @@ -103,6 +103,9 @@ SYSCALL_DEFINE0(sync)
> {
> int nowait = 0, wait = 1;
> 
> + if (!capable(CAP_SYS_ADMIN))
> + return -EPERM;

So after this patch I can't call sync as a regular user? (even without
containers).
But nothing in sync(2) says about special permissions for this.
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Richard Weinberger April 16, 2015, 7:31 p.m. UTC | #2
On Thu, Apr 16, 2015 at 5:08 PM, Azat Khuzhin <a3at.mail@gmail.com> wrote:
> On Thu, Apr 16, 2015 at 07:43:34PM +0800, Wuqixuan wrote:
>> The process, supposed in one container, can't flush the metadata
>> and data of the all host's partitions without CAP_SYS_ADMIN
>> capability, like sys_mount is doing. The checking will prevent some
>> vicious programs impacting IO sequnces of those partitions,
>> particularly, the ones which can't be accessed in the container.
>>
>> Signed-off-by: Last Wu <wuqixuan@huawei.com>
>> ---
>> fs/sync.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/fs/sync.c b/fs/sync.c
>> index fbc98ee..9f07909 100644
>> --- a/fs/sync.c
>> +++ b/fs/sync.c
>> @@ -103,6 +103,9 @@ SYSCALL_DEFINE0(sync)
>> {
>> int nowait = 0, wait = 1;
>>
>> + if (!capable(CAP_SYS_ADMIN))
>> + return -EPERM;
>
> So after this patch I can't call sync as a regular user? (even without
> containers).
> But nothing in sync(2) says about special permissions for this.

Yeah, this solution will break userspace.
A much more generic solution would be to wait for cgroup aware writeback[1].
As temporary hack you can check whether the calling process is in the
initial pid namesapce to detect
a container calling sync(2)...

[1] https://lwn.net/Articles/628631/
Wuqixuan April 21, 2015, 11:30 a.m. UTC | #3
Thanks for your both replies. We will waiting for the patchset, and
modify as per Richard's suggestion for temporary hack.

On 2015/4/17 3:31, Richard Weinberger wrote:
> On Thu, Apr 16, 2015 at 5:08 PM, Azat Khuzhin <a3at.mail@gmail.com> wrote:
>> On Thu, Apr 16, 2015 at 07:43:34PM +0800, Wuqixuan wrote:
>>> The process, supposed in one container, can't flush the metadata
>>> and data of the all host's partitions without CAP_SYS_ADMIN
>>> capability, like sys_mount is doing. The checking will prevent some
>>> vicious programs impacting IO sequnces of those partitions,
>>> particularly, the ones which can't be accessed in the container.
>>>
>>> Signed-off-by: Last Wu <wuqixuan@huawei.com>
>>> ---
>>> fs/sync.c | 3 +++
>>> 1 file changed, 3 insertions(+)
>>>
>>> diff --git a/fs/sync.c b/fs/sync.c
>>> index fbc98ee..9f07909 100644
>>> --- a/fs/sync.c
>>> +++ b/fs/sync.c
>>> @@ -103,6 +103,9 @@ SYSCALL_DEFINE0(sync)
>>> {
>>> int nowait = 0, wait = 1;
>>>
>>> + if (!capable(CAP_SYS_ADMIN))
>>> + return -EPERM;
>> So after this patch I can't call sync as a regular user? (even without
>> containers).
>> But nothing in sync(2) says about special permissions for this.
> Yeah, this solution will break userspace.
> A much more generic solution would be to wait for cgroup aware writeback[1].
> As temporary hack you can check whether the calling process is in the
> initial pid namesapce to detect
> a container calling sync(2)...
>
> [1] https://lwn.net/Articles/628631/
>


--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/fs/sync.c b/fs/sync.c
index fbc98ee..9f07909 100644
--- a/fs/sync.c
+++ b/fs/sync.c
@@ -103,6 +103,9 @@  SYSCALL_DEFINE0(sync)
{
int nowait = 0, wait = 1;

+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
wakeup_flusher_threads(0, WB_REASON_SYNC);
iterate_supers(sync_inodes_one_sb, NULL);
iterate_supers(sync_fs_one_sb, &nowait);