[Devel] [PATCH] [OpenVZ kernel] Fix for a possible DoS attack via forced umount of a Lustre filesystem from inside a container

Dawid Golunski golunski at onet.eu
Fri Apr 3 08:07:01 PDT 2009 

BACKGROUND

Lustre filesystem can be easily instructed to stopped when -f  
parameter is provided on umount command.
As we can read in the lustre documentation:

     To stop a server:

     $ umount -f /mnt/test/ost0 The '-f' flag means "force"; force the  
server to stop WITHOUT RECOVERY.

Although it is a handy feature that might be used when dealing with  
unresponsive lustre server, it creates a
possibility of carrying out a DOS attack by a malicious user.

The problem is only real if we have a hosting server running OpenVZ  
and a group of containers (used by outside users)
mounting the same lustre filesystem. In such setup one of the users  
can type:

umount -f /mnt/shared/lustre/fs

inside a container which will cause the lustre filesystem to stop  
without any warning, preventing all the other containers
that use the same filesystem from reading data.

Such event gets logged to /var/log/messsages as:

kernel: Lustre: setting import lustre-server-MDT0000_UUID INACTIVE by  
administrator request

Important: the above is also likely to happen when one of the  
containers gets stopped since a lot of linux distributions,
as a part of of shutdown process, run umount -f command on the  
filesystems found in /etc/mtab file.

PATCH

I attach a patch bellow that addresses the issue. It is for the newest  
OpenVZ kernel (2.6.18-92.1.18.el5.028stab060.2).
The patch prevents users from running umount -f command on lustre  
filesystems inside container. If umount -f gets run inside
a container, -f option will get removed and a standard, not forced  
umount will be performed (writing an appropriate alert message
to the logs). If umount -f gets run on the host server it will work as  
expected - forcing a lustre filesystem to stop.

Best Regards,
Dawid Golunski



--- linux-2.6.18.i686/fs/namespace.c	2009-03-26 11:09:57.000000000 +0000
+++ linux-2.6.18.i686-lustre-umount-patch/fs/namespace.c	2009-03-27  
01:41:49.000000000 +0000
@@ -728,10 +728,15 @@ asmlinkage long sys_umount(char __user *
  	if (!check_mnt(nd.mnt))
  		goto dput_and_out;

+	
+	if (!memcmp(nd.mnt->mnt_sb->s_type->name, "lustre", 6) && ! 
ve_is_super(get_exec_env()) && (flags & MNT_FORCE)) {
+		printk(KERN_ALERT "Forced umount of lustre fs is not allowed inside  
container (%d). Overriding MNT_FORCE flag.\n", get_exec_env()->veid);
+		flags &= (~MNT_FORCE);
+	}
+
  	retval = -EPERM;
  	if (!capable(CAP_VE_SYS_ADMIN))
  		goto dput_and_out;
-
  	retval = do_umount(nd.mnt, flags);
  dput_and_out:
  	path_release_on_umount(&nd);

More information about the Devel mailing list