From: Greg Kroah-Hartman Date: Tue, 15 Sep 2020 07:56:22 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.19.146~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a728e35188b40845b9d3d098048ac2f835f6893f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: rbd-require-global-cap_sys_admin-for-mapping-and-unmapping.patch --- diff --git a/queue-4.4/rbd-require-global-cap_sys_admin-for-mapping-and-unmapping.patch b/queue-4.4/rbd-require-global-cap_sys_admin-for-mapping-and-unmapping.patch new file mode 100644 index 00000000000..ded619782f5 --- /dev/null +++ b/queue-4.4/rbd-require-global-cap_sys_admin-for-mapping-and-unmapping.patch @@ -0,0 +1,69 @@ +From f44d04e696feaf13d192d942c4f14ad2e117065a Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Thu, 3 Sep 2020 13:24:11 +0200 +Subject: rbd: require global CAP_SYS_ADMIN for mapping and unmapping + +From: Ilya Dryomov + +commit f44d04e696feaf13d192d942c4f14ad2e117065a upstream. + +It turns out that currently we rely only on sysfs attribute +permissions: + + $ ll /sys/bus/rbd/{add*,remove*} + --w------- 1 root root 4096 Sep 3 20:37 /sys/bus/rbd/add + --w------- 1 root root 4096 Sep 3 20:37 /sys/bus/rbd/add_single_major + --w------- 1 root root 4096 Sep 3 20:37 /sys/bus/rbd/remove + --w------- 1 root root 4096 Sep 3 20:38 /sys/bus/rbd/remove_single_major + +This means that images can be mapped and unmapped (i.e. block devices +can be created and deleted) by a UID 0 process even after it drops all +privileges or by any process with CAP_DAC_OVERRIDE in its user namespace +as long as UID 0 is mapped into that user namespace. + +Be consistent with other virtual block devices (loop, nbd, dm, md, etc) +and require CAP_SYS_ADMIN in the initial user namespace for mapping and +unmapping, and also for dumping the configuration string and refreshing +the image header. + +Cc: stable@vger.kernel.org +Signed-off-by: Ilya Dryomov +Reviewed-by: Jeff Layton +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/rbd.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -3945,6 +3945,9 @@ static ssize_t rbd_image_refresh(struct + struct rbd_device *rbd_dev = dev_to_rbd_dev(dev); + int ret; + ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ + ret = rbd_dev_refresh(rbd_dev); + if (ret) + return ret; +@@ -5404,6 +5407,9 @@ static ssize_t do_rbd_add(struct bus_typ + bool read_only; + int rc; + ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ + if (!try_module_get(THIS_MODULE)) + return -ENODEV; + +@@ -5548,6 +5554,9 @@ static ssize_t do_rbd_remove(struct bus_ + bool already = false; + int ret; + ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ + ret = kstrtoul(buf, 10, &ul); + if (ret) + return ret; diff --git a/queue-4.4/series b/queue-4.4/series index cbcc1851eb3..4cd593b2303 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -16,3 +16,4 @@ usb-core-add-helpers-to-retrieve-endpoints.patch staging-wlan-ng-fix-out-of-bounds-read-in-prism2sta_probe_usb.patch btrfs-fix-wrong-address-when-faulting-in-pages-in-the-search-ioctl.patch scsi-target-iscsi-fix-hang-in-iscsit_access_np-when-getting-tpg-np_login_sem.patch +rbd-require-global-cap_sys_admin-for-mapping-and-unmapping.patch