[Devel] [PATCH RHEL8 COMMIT] trusted/block: Added trusted flag to struct genhd

Konstantin Khorenko khorenko at virtuozzo.com
Wed Jun 9 14:01:04 MSK 2021


The commit is pushed to "branch-rh8-4.18.0-240.1.1.vz8.5.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-240.1.1.vz8.5.37
------>
commit 4d6c27aaea58c2d224f3ab52626c4d566263a995
Author: Valeriy Vdovin <valeriy.vdovin at virtuozzo.com>
Date:   Wed Jun 9 14:01:03 2021 +0300

    trusted/block: Added trusted flag to struct genhd
    
    The flag 'trusted' is needed to implement a check if a priviledged
    (VE0's) process can run code from a particular block device.
    
    The aim of the check is to prohibit processes from VE0 to execute
    binaries stored on Container's filesystems as it's a potential security
    hole.
    
    In VZ7 we detected Container's block devices by checking dev
    major/minor - PLOOP_DEV_MAJOR means "ploop" and the execution must be
    prohibited by default.
    
    In VZ8 there is no PLOOP_DEV_MAJOR constant, because it's implemented
    via device mapper, leaving us with no way to deduce if it the file
    belongs to Container image or not.
    
    The flag 'trusted' in genhd comes to help here, because Container
    manager (read "vzctl/prlctl/ploop tool") can set the mounted Container
    image as untrusted, making the check for genhd->trusted an equivalent
    check to ploop major.
    
    By default all block devices are marked as "trusted", i.e. VE0 processes
    can run binaries stored on them.
    
    To mark a block device "untrusted":
    
     # ls -l /dev/mapper/ploop18495
       <skipped> /dev/mapper/ploop18495 -> ../dm-18495
     # echo 0 > /sys/devices/virtual/block/dm-18495/vz_trusted_exec
    
    https://jira.sw.ru/browse/PSBM-129741
    
    Signed-off-by: Valeriy Vdovin <valeriy.vdovin at virtuozzo.com>
    
    Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
    Reviewed-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 block/genhd.c         | 39 +++++++++++++++++++++++++++++++++++++++
 include/linux/genhd.h |  4 ++++
 2 files changed, 43 insertions(+)

diff --git a/block/genhd.c b/block/genhd.c
index aaf39b0b479f..f479591ce27a 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -1258,12 +1258,49 @@ static ssize_t disk_discard_alignment_show(struct device *dev,
 	return sprintf(buf, "%d\n", queue_discard_alignment(disk->queue));
 }
 
+static ssize_t disk_vz_trusted_exec_store(struct device *dev,
+					struct device_attribute *attr,
+					const char *buf, size_t len)
+{
+	int n, value;
+	char newline;
+
+	struct gendisk *disk = dev_to_disk(dev);
+
+	n = sscanf(buf, "%d%c", &value, &newline);
+	switch (n) {
+	case 2:
+		if (newline != '\n')
+			return -EINVAL;
+		/* fall through */
+	case 1:
+		if (value != 1 && value != 0)
+			return -EINVAL;
+		break;
+	default:
+		return -EINVAL;
+	}
+	disk->vz_trusted_exec = value;
+	return len;
+}
+
+static ssize_t disk_vz_trusted_exec_show(struct device *dev,
+			struct device_attribute *attr,
+			char *buf)
+{
+	struct gendisk *disk = dev_to_disk(dev);
+
+	return sprintf(buf, "%d\n", disk->vz_trusted_exec ? 1 : 0);
+}
+
 static DEVICE_ATTR(range, 0444, disk_range_show, NULL);
 static DEVICE_ATTR(ext_range, 0444, disk_ext_range_show, NULL);
 static DEVICE_ATTR(removable, 0444, disk_removable_show, NULL);
 static DEVICE_ATTR(hidden, 0444, disk_hidden_show, NULL);
 static DEVICE_ATTR(ro, 0444, disk_ro_show, NULL);
 static DEVICE_ATTR(size, 0444, part_size_show, NULL);
+static DEVICE_ATTR(vz_trusted_exec, 0644, disk_vz_trusted_exec_show,
+	disk_vz_trusted_exec_store);
 static DEVICE_ATTR(alignment_offset, 0444, disk_alignment_offset_show, NULL);
 static DEVICE_ATTR(discard_alignment, 0444, disk_discard_alignment_show, NULL);
 static DEVICE_ATTR(capability, 0444, disk_capability_show, NULL);
@@ -1292,6 +1329,7 @@ static struct attribute *disk_attrs[] = {
 	&dev_attr_stat.attr,
 	&dev_attr_inflight.attr,
 	&dev_attr_badblocks.attr,
+	&dev_attr_vz_trusted_exec.attr,
 #ifdef CONFIG_FAIL_MAKE_REQUEST
 	&dev_attr_fail.attr,
 #endif
@@ -1611,6 +1649,7 @@ struct gendisk *__alloc_disk_node(int minors, int node_id)
 		}
 
 		disk->minors = minors;
+		disk->vz_trusted_exec = true;
 		rand_initialize_disk(disk);
 		disk_to_dev(disk)->class = &block_class;
 		disk_to_dev(disk)->type = &disk_type;
diff --git a/include/linux/genhd.h b/include/linux/genhd.h
index 0eeee23d1d96..26fb7769a25e 100644
--- a/include/linux/genhd.h
+++ b/include/linux/genhd.h
@@ -220,6 +220,10 @@ struct gendisk {
 	int node_id;
 	struct badblocks *bb;
 	struct lockdep_map lockdep_map;
+	/*
+	 * if trusted, allow code execution from this disk
+	 */
+	bool vz_trusted_exec;
 
 	RH_KABI_RESERVE(1)
 	RH_KABI_RESERVE(2)


More information about the Devel mailing list