From patchwork Wed Sep 16 20:02:39 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 7199121 Return-Path: X-Original-To: patchwork-linux-fsdevel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 16486BEEC1 for ; Wed, 16 Sep 2015 20:05:47 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 0171620396 for ; Wed, 16 Sep 2015 20:05:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id CD90C2038A for ; Wed, 16 Sep 2015 20:05:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753064AbbIPUFW (ORCPT ); Wed, 16 Sep 2015 16:05:22 -0400 Received: from mail-ig0-f172.google.com ([209.85.213.172]:37545 "EHLO mail-ig0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753277AbbIPUDr (ORCPT ); Wed, 16 Sep 2015 16:03:47 -0400 Received: by igbni9 with SMTP id ni9so215309igb.0 for ; Wed, 16 Sep 2015 13:03:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=WPMcE1ittwhp4NE39IxnanW5Bi2AYFOGiKSESmYTCT4=; b=DoKo6qmntYXn3eH2xMoHpivJY+DT+CfwucMcSfo0SbER5Lhoi1gfHUMvcYXDKzCPeM /FQJ9ShN4mGqty9X1dWbQkwJvE1kRHtV0skyFQTHvOx2LBs4+vzmuWCnGqj6Peauid2p FrYPayvWpvCOQTM2jLrQKR/tjYq//gSdN/brZAbLs484XDMr9e1AFizYHHkzUVvAOP0G LyJdX+0cYc9qijtyT7xGncrHOMvDclIh2r/9FTMGOZsdZEYflNtePKg5GHsCTsRc2Zgo HgG42tB1l2GjBtXt+dXy651pbSL/iXJEHJRDi9nF30WE9AKJZZMBTEha5Zj4sCPP3D7j uLTg== X-Gm-Message-State: ALoCoQkQDUXvCoiBIuBCQqGzT5Pjdn9S8CEnqeP3GLOkm2k5p8VPZPBgEZ8mF4RO05enhErnZ6Z9 X-Received: by 10.50.124.106 with SMTP id mh10mr19537020igb.65.1442433826215; Wed, 16 Sep 2015 13:03:46 -0700 (PDT) Received: from localhost (199-87-125-144.dyn.kc.surewest.net. [199.87.125.144]) by smtp.gmail.com with ESMTPSA id bd7sm2615879igb.19.2015.09.16.13.03.45 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Wed, 16 Sep 2015 13:03:45 -0700 (PDT) From: Seth Forshee To: "Eric W. Biederman" , Alexander Viro , David Woodhouse , Brian Norris , Jeff Layton , "J. Bruce Fields" Cc: Serge Hallyn , Andy Lutomirski , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org, linux-mtd@lists.infradead.org, Seth Forshee Subject: [PATCH v3 3/7] fs: Verify access of user towards block device file when mounting Date: Wed, 16 Sep 2015 15:02:39 -0500 Message-Id: <1442433764-80826-4-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1442433764-80826-1-git-send-email-seth.forshee@canonical.com> References: <1442433764-80826-1-git-send-email-seth.forshee@canonical.com> Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, T_RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP When mounting a filesystem on a block device there is currently no verification that the user has appropriate access to the device file passed to mount. This has not been an issue so far since the user in question has always been root, but this must be changed before allowing unprivileged users to mount in user namespaces. To do this, a new version of lookup_bdev() is added named lookup_bdev_perm(). Both of these functions become wrappers around a common inner fucntion. The behavior of lookup_bdev() is unchanged, but calling lookup_bdev_perm() will fail if the user does not have the specified access rights to the supplied path. The permission check is skipped if the user has CAP_SYS_ADMIN to avoid any possible regressions in behavior. blkdev_get_by_path() is updated to use lookup_bdev_perm(). This is used by mount_bdev() and mount_mtd(), so this will cause mounts on block devices to fail when the user lacks the required permissions. Other calls to blkdev_get_by_path() will all happen with root privileges, so these calls will be unaffected. Signed-off-by: Seth Forshee --- drivers/mtd/mtdsuper.c | 7 ++++++- fs/block_dev.c | 52 ++++++++++++++++++++++++++++++++++++++++---------- include/linux/fs.h | 1 + 3 files changed, 49 insertions(+), 11 deletions(-) diff --git a/drivers/mtd/mtdsuper.c b/drivers/mtd/mtdsuper.c index 20c02a3b7417..a3970b0506b9 100644 --- a/drivers/mtd/mtdsuper.c +++ b/drivers/mtd/mtdsuper.c @@ -125,6 +125,7 @@ struct dentry *mount_mtd(struct file_system_type *fs_type, int flags, #ifdef CONFIG_BLOCK struct block_device *bdev; int ret, major; + int perm = 0; #endif int mtdnr; @@ -176,7 +177,11 @@ struct dentry *mount_mtd(struct file_system_type *fs_type, int flags, /* try the old way - the hack where we allowed users to mount * /dev/mtdblock$(n) but didn't actually _use_ the blockdev */ - bdev = lookup_bdev(dev_name); + if (flags & FMODE_READ) + perm |= MAY_READ; + if (flags & FMODE_WRITE) + perm |= MAY_WRITE; + bdev = lookup_bdev_perm(dev_name, perm); if (IS_ERR(bdev)) { ret = PTR_ERR(bdev); pr_debug("MTDSB: lookup_bdev() returned %d\n", ret); diff --git a/fs/block_dev.c b/fs/block_dev.c index 26cee058dc02..d7b83e4ec138 100644 --- a/fs/block_dev.c +++ b/fs/block_dev.c @@ -1394,9 +1394,14 @@ struct block_device *blkdev_get_by_path(const char *path, fmode_t mode, void *holder) { struct block_device *bdev; + int perm = 0; int err; - bdev = lookup_bdev(path); + if (mode & FMODE_READ) + perm |= MAY_READ; + if (mode & FMODE_WRITE) + perm |= MAY_WRITE; + bdev = lookup_bdev_perm(path, perm); if (IS_ERR(bdev)) return bdev; @@ -1703,15 +1708,8 @@ int ioctl_by_bdev(struct block_device *bdev, unsigned cmd, unsigned long arg) EXPORT_SYMBOL(ioctl_by_bdev); -/** - * lookup_bdev - lookup a struct block_device by name - * @pathname: special file representing the block device - * - * Get a reference to the blockdevice at @pathname in the current - * namespace if possible and return it. Return ERR_PTR(error) - * otherwise. - */ -struct block_device *lookup_bdev(const char *pathname) +static struct block_device *__lookup_bdev(const char *pathname, int mask, + bool check_perm) { struct block_device *bdev; struct inode *inode; @@ -1726,6 +1724,11 @@ struct block_device *lookup_bdev(const char *pathname) return ERR_PTR(error); inode = d_backing_inode(path.dentry); + if (check_perm && !capable(CAP_SYS_ADMIN)) { + error = inode_permission(inode, mask); + if (error) + goto fail; + } error = -ENOTBLK; if (!S_ISBLK(inode->i_mode)) goto fail; @@ -1743,6 +1746,35 @@ fail: bdev = ERR_PTR(error); goto out; } + +/* + * lookup_bdev_perm - lookup a struct block_device by name and check for + * access rights + * @pathname: special file representing the block device + * @mask: rights to check for (%MAY_READ, %MAY_WRITE, %MAY_EXEC) + * + * Get a reference to the blockdevice at @pathname in the current + * namespace if possible, check for the specified rights to the device + * at @pathname, and return it. Return ERR_PTR(error) otherwise. + */ +struct block_device *lookup_bdev_perm(const char *pathname, int mask) +{ + return __lookup_bdev(pathname, mask, true); +} +EXPORT_SYMBOL(lookup_bdev_perm); + +/** + * lookup_bdev - lookup a struct block_device by name + * @pathname: special file representing the block device + * + * Get a reference to the blockdevice at @pathname in the current + * namespace if possible and return it. Return ERR_PTR(error) + * otherwise. + */ +struct block_device *lookup_bdev(const char *pathname) +{ + return __lookup_bdev(pathname, 0, false); +} EXPORT_SYMBOL(lookup_bdev); int __invalidate_device(struct block_device *bdev, bool kill_dirty) diff --git a/include/linux/fs.h b/include/linux/fs.h index 5ec201e8308c..d03c2061bdd2 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -2383,6 +2383,7 @@ static inline void unregister_chrdev(unsigned int major, const char *name) #define BLKDEV_MAJOR_HASH_SIZE 255 extern const char *__bdevname(dev_t, char *buffer); extern const char *bdevname(struct block_device *bdev, char *buffer); +extern struct block_device *lookup_bdev_perm(const char *, int); extern struct block_device *lookup_bdev(const char *); extern void blkdev_show(struct seq_file *,off_t);