From: Greg Kroah-Hartman Date: Tue, 15 Sep 2020 07:56:53 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.19.146~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=df5edce78d1fdd53105c566dc4465bb358b23bf6;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: rbd-require-global-cap_sys_admin-for-mapping-and-unmapping.patch --- diff --git a/queue-4.14/rbd-require-global-cap_sys_admin-for-mapping-and-unmapping.patch b/queue-4.14/rbd-require-global-cap_sys_admin-for-mapping-and-unmapping.patch new file mode 100644 index 00000000000..f532416a0af --- /dev/null +++ b/queue-4.14/rbd-require-global-cap_sys_admin-for-mapping-and-unmapping.patch @@ -0,0 +1,79 @@ +From f44d04e696feaf13d192d942c4f14ad2e117065a Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Thu, 3 Sep 2020 13:24:11 +0200 +Subject: rbd: require global CAP_SYS_ADMIN for mapping and unmapping + +From: Ilya Dryomov + +commit f44d04e696feaf13d192d942c4f14ad2e117065a upstream. + +It turns out that currently we rely only on sysfs attribute +permissions: + + $ ll /sys/bus/rbd/{add*,remove*} + --w------- 1 root root 4096 Sep 3 20:37 /sys/bus/rbd/add + --w------- 1 root root 4096 Sep 3 20:37 /sys/bus/rbd/add_single_major + --w------- 1 root root 4096 Sep 3 20:37 /sys/bus/rbd/remove + --w------- 1 root root 4096 Sep 3 20:38 /sys/bus/rbd/remove_single_major + +This means that images can be mapped and unmapped (i.e. block devices +can be created and deleted) by a UID 0 process even after it drops all +privileges or by any process with CAP_DAC_OVERRIDE in its user namespace +as long as UID 0 is mapped into that user namespace. + +Be consistent with other virtual block devices (loop, nbd, dm, md, etc) +and require CAP_SYS_ADMIN in the initial user namespace for mapping and +unmapping, and also for dumping the configuration string and refreshing +the image header. + +Cc: stable@vger.kernel.org +Signed-off-by: Ilya Dryomov +Reviewed-by: Jeff Layton +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/rbd.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -4534,6 +4534,9 @@ static ssize_t rbd_config_info_show(stru + { + struct rbd_device *rbd_dev = dev_to_rbd_dev(dev); + ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ + return sprintf(buf, "%s\n", rbd_dev->config_info); + } + +@@ -4635,6 +4638,9 @@ static ssize_t rbd_image_refresh(struct + struct rbd_device *rbd_dev = dev_to_rbd_dev(dev); + int ret; + ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ + ret = rbd_dev_refresh(rbd_dev); + if (ret) + return ret; +@@ -6159,6 +6165,9 @@ static ssize_t do_rbd_add(struct bus_typ + bool read_only; + int rc; + ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ + if (!try_module_get(THIS_MODULE)) + return -ENODEV; + +@@ -6311,6 +6320,9 @@ static ssize_t do_rbd_remove(struct bus_ + bool force = false; + int ret; + ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ + dev_id = -1; + opt_buf[0] = '\0'; + sscanf(buf, "%d %5s", &dev_id, opt_buf); diff --git a/queue-4.14/series b/queue-4.14/series index 5bb40de559f..81155448667 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -42,3 +42,4 @@ btrfs-fix-wrong-address-when-faulting-in-pages-in-the-search-ioctl.patch regulator-push-allocation-in-set_consumer_device_supply-out-of-lock.patch scsi-target-iscsi-fix-data-digest-calculation.patch scsi-target-iscsi-fix-hang-in-iscsit_access_np-when-getting-tpg-np_login_sem.patch +rbd-require-global-cap_sys_admin-for-mapping-and-unmapping.patch