From: Valeriy Vdovin <[email protected]> The flag 'trusted' is needed to implement a check if a priviledged (VE0's) process can run code from a particular block device.
The aim of the check is to prohibit processes from VE0 to execute binaries stored on Container's filesystems as it's a potential security hole. In VZ7 we detected Container's block devices by checking dev major/minor - PLOOP_DEV_MAJOR means "ploop" and the execution must be prohibited by default. In VZ8 there is no PLOOP_DEV_MAJOR constant, because it's implemented via device mapper, leaving us with no way to deduce if it the file belongs to Container image or not. The flag 'trusted' in genhd comes to help here, because Container manager (read "vzctl/prlctl/ploop tool") can set the mounted Container image as untrusted, making the check for genhd->trusted an equivalent check to ploop major. By default all block devices are marked as "trusted", i.e. VE0 processes can run binaries stored on them. To mark a block device "untrusted": # ls -l /dev/mapper/ploop18495 <skipped> /dev/mapper/ploop18495 -> ../dm-18495 # echo 0 > /sys/devices/virtual/block/dm-18495/vz_trusted_exec https://jira.sw.ru/browse/PSBM-129741 Signed-off-by: Valeriy Vdovin <[email protected]> Reviewed-by: Pavel Tikhomirov <[email protected]> Reviewed-by: Konstantin Khorenko <[email protected]> --- block/genhd.c | 39 +++++++++++++++++++++++++++++++++++++++ include/linux/genhd.h | 4 ++++ 2 files changed, 43 insertions(+) diff --git a/block/genhd.c b/block/genhd.c index aaf39b0b479f..f479591ce27a 100644 --- a/block/genhd.c +++ b/block/genhd.c @@ -1258,12 +1258,49 @@ static ssize_t disk_discard_alignment_show(struct device *dev, return sprintf(buf, "%d\n", queue_discard_alignment(disk->queue)); } +static ssize_t disk_vz_trusted_exec_store(struct device *dev, + struct device_attribute *attr, + const char *buf, size_t len) +{ + int n, value; + char newline; + + struct gendisk *disk = dev_to_disk(dev); + + n = sscanf(buf, "%d%c", &value, &newline); + switch (n) { + case 2: + if (newline != '\n') + return -EINVAL; + /* fall through */ + case 1: + if (value != 1 && value != 0) + return -EINVAL; + break; + default: + return -EINVAL; + } + disk->vz_trusted_exec = value; + return len; +} + +static ssize_t disk_vz_trusted_exec_show(struct device *dev, + struct device_attribute *attr, + char *buf) +{ + struct gendisk *disk = dev_to_disk(dev); + + return sprintf(buf, "%d\n", disk->vz_trusted_exec ? 1 : 0); +} + static DEVICE_ATTR(range, 0444, disk_range_show, NULL); static DEVICE_ATTR(ext_range, 0444, disk_ext_range_show, NULL); static DEVICE_ATTR(removable, 0444, disk_removable_show, NULL); static DEVICE_ATTR(hidden, 0444, disk_hidden_show, NULL); static DEVICE_ATTR(ro, 0444, disk_ro_show, NULL); static DEVICE_ATTR(size, 0444, part_size_show, NULL); +static DEVICE_ATTR(vz_trusted_exec, 0644, disk_vz_trusted_exec_show, + disk_vz_trusted_exec_store); static DEVICE_ATTR(alignment_offset, 0444, disk_alignment_offset_show, NULL); static DEVICE_ATTR(discard_alignment, 0444, disk_discard_alignment_show, NULL); static DEVICE_ATTR(capability, 0444, disk_capability_show, NULL); @@ -1292,6 +1329,7 @@ static struct attribute *disk_attrs[] = { &dev_attr_stat.attr, &dev_attr_inflight.attr, &dev_attr_badblocks.attr, + &dev_attr_vz_trusted_exec.attr, #ifdef CONFIG_FAIL_MAKE_REQUEST &dev_attr_fail.attr, #endif @@ -1611,6 +1649,7 @@ struct gendisk *__alloc_disk_node(int minors, int node_id) } disk->minors = minors; + disk->vz_trusted_exec = true; rand_initialize_disk(disk); disk_to_dev(disk)->class = &block_class; disk_to_dev(disk)->type = &disk_type; diff --git a/include/linux/genhd.h b/include/linux/genhd.h index 0eeee23d1d96..26fb7769a25e 100644 --- a/include/linux/genhd.h +++ b/include/linux/genhd.h @@ -220,6 +220,10 @@ struct gendisk { int node_id; struct badblocks *bb; struct lockdep_map lockdep_map; + /* + * if trusted, allow code execution from this disk + */ + bool vz_trusted_exec; RH_KABI_RESERVE(1) RH_KABI_RESERVE(2) -- 2.28.0 _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
