[Devel] [PATCH vz8 v5 1/5] trusted/block: Added trusted flag to struct genhd
Konstantin Khorenko
khorenko at virtuozzo.com
Tue Jun 8 19:31:26 MSK 2021
From: Valeriy Vdovin <valeriy.vdovin at virtuozzo.com>
The flag 'trusted' is needed to implement a check if a priviledged
(VE0's) process can run code from a particular block device.
The aim of the check is to prohibit processes from VE0 to execute
binaries stored on Container's filesystems as it's a potential security
hole.
In VZ7 we detected Container's block devices by checking dev
major/minor - PLOOP_DEV_MAJOR means "ploop" and the execution must be
prohibited by default.
In VZ8 there is no PLOOP_DEV_MAJOR constant, because it's implemented
via device mapper, leaving us with no way to deduce if it the file
belongs to Container image or not.
The flag 'trusted' in genhd comes to help here, because Container
manager (read "vzctl/prlctl/ploop tool") can set the mounted Container
image as untrusted, making the check for genhd->trusted an equivalent
check to ploop major.
By default all block devices are marked as "trusted", i.e. VE0 processes
can run binaries stored on them.
To mark a block device "untrusted":
# ls -l /dev/mapper/ploop18495
<skipped> /dev/mapper/ploop18495 -> ../dm-18495
# echo 0 > /sys/devices/virtual/block/dm-18495/vz_trusted_exec
https://jira.sw.ru/browse/PSBM-129741
Signed-off-by: Valeriy Vdovin <valeriy.vdovin at virtuozzo.com>
Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Reviewed-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
block/genhd.c | 39 +++++++++++++++++++++++++++++++++++++++
include/linux/genhd.h | 4 ++++
2 files changed, 43 insertions(+)
diff --git a/block/genhd.c b/block/genhd.c
index aaf39b0b479f..f479591ce27a 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -1258,12 +1258,49 @@ static ssize_t disk_discard_alignment_show(struct device *dev,
return sprintf(buf, "%d\n", queue_discard_alignment(disk->queue));
}
+static ssize_t disk_vz_trusted_exec_store(struct device *dev,
+ struct device_attribute *attr,
+ const char *buf, size_t len)
+{
+ int n, value;
+ char newline;
+
+ struct gendisk *disk = dev_to_disk(dev);
+
+ n = sscanf(buf, "%d%c", &value, &newline);
+ switch (n) {
+ case 2:
+ if (newline != '\n')
+ return -EINVAL;
+ /* fall through */
+ case 1:
+ if (value != 1 && value != 0)
+ return -EINVAL;
+ break;
+ default:
+ return -EINVAL;
+ }
+ disk->vz_trusted_exec = value;
+ return len;
+}
+
+static ssize_t disk_vz_trusted_exec_show(struct device *dev,
+ struct device_attribute *attr,
+ char *buf)
+{
+ struct gendisk *disk = dev_to_disk(dev);
+
+ return sprintf(buf, "%d\n", disk->vz_trusted_exec ? 1 : 0);
+}
+
static DEVICE_ATTR(range, 0444, disk_range_show, NULL);
static DEVICE_ATTR(ext_range, 0444, disk_ext_range_show, NULL);
static DEVICE_ATTR(removable, 0444, disk_removable_show, NULL);
static DEVICE_ATTR(hidden, 0444, disk_hidden_show, NULL);
static DEVICE_ATTR(ro, 0444, disk_ro_show, NULL);
static DEVICE_ATTR(size, 0444, part_size_show, NULL);
+static DEVICE_ATTR(vz_trusted_exec, 0644, disk_vz_trusted_exec_show,
+ disk_vz_trusted_exec_store);
static DEVICE_ATTR(alignment_offset, 0444, disk_alignment_offset_show, NULL);
static DEVICE_ATTR(discard_alignment, 0444, disk_discard_alignment_show, NULL);
static DEVICE_ATTR(capability, 0444, disk_capability_show, NULL);
@@ -1292,6 +1329,7 @@ static struct attribute *disk_attrs[] = {
&dev_attr_stat.attr,
&dev_attr_inflight.attr,
&dev_attr_badblocks.attr,
+ &dev_attr_vz_trusted_exec.attr,
#ifdef CONFIG_FAIL_MAKE_REQUEST
&dev_attr_fail.attr,
#endif
@@ -1611,6 +1649,7 @@ struct gendisk *__alloc_disk_node(int minors, int node_id)
}
disk->minors = minors;
+ disk->vz_trusted_exec = true;
rand_initialize_disk(disk);
disk_to_dev(disk)->class = &block_class;
disk_to_dev(disk)->type = &disk_type;
diff --git a/include/linux/genhd.h b/include/linux/genhd.h
index 0eeee23d1d96..26fb7769a25e 100644
--- a/include/linux/genhd.h
+++ b/include/linux/genhd.h
@@ -220,6 +220,10 @@ struct gendisk {
int node_id;
struct badblocks *bb;
struct lockdep_map lockdep_map;
+ /*
+ * if trusted, allow code execution from this disk
+ */
+ bool vz_trusted_exec;
RH_KABI_RESERVE(1)
RH_KABI_RESERVE(2)
--
2.28.0
More information about the Devel
mailing list