[Devel] [PATCH rh7] fs: Allow mounting a bdev in RW mode even if devcgroup allows only RO.
Kirill Tkhai
ktkhai at odin.com
Thu Jun 25 07:59:30 PDT 2015
Please, drop this, I'll write another commentary.
В Чт, 25/06/2015 в 17:52 +0300, Kirill Tkhai пишет:
> We doesn't want to allow a CT full write access over a bdev,
> so that vzctl usually prohibits it.
>
> But we want to permit a mounting in RW mode inside container.
>
> https://jira.sw.ru/browse/PSBM-34497
>
> Note_1 (for reviewer): FMODE_MOUNT is used only in mount_bdev(),
> so this patch affects the only place.
>
> Note_2: strange, but kernel does not check for devcgroup pemittions
> during remount. If write access is prohibited, it's possible to
> mount a bdev in RO mode, and to remount it RW after that, without
> problems. Looks like a mainstream bug. I'll think about that/send
> a patch/etc.
>
> Signed-off-by: Kirill Tkhai <ktkhai at odin.com>
> ---
> fs/block_dev.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/fs/block_dev.c b/fs/block_dev.c
> index 15bd3ae..34949b0 100644
> --- a/fs/block_dev.c
> +++ b/fs/block_dev.c
> @@ -1075,8 +1075,16 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part)
> perm |= MAY_READ;
> if (mode & FMODE_WRITE)
> perm |= MAY_WRITE;
> - if (mode & FMODE_MOUNT)
> + if (mode & FMODE_MOUNT) {
> perm |= MAY_MOUNT;
> + /*
> + * In PCS7 vzctl usually prohibits write access in devcgroup
> + * permittions, because it allows direct writing to a bdev,
> + * which is dangerous.
> + * But anyway we want to permit mounting a bdev in rw mode.
> + */
> + perm &= ~MAY_WRITE;
> + }
> /*
> * hooks: /n/, see "layering violations".
> */
>
> _______________________________________________
> Devel mailing list
> Devel at openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
More information about the Devel
mailing list