[Devel] [PATCH RH9 2/6] trusted/block: Added trusted flag to struct genhd

Andrey Zhadchenko andrey.zhadchenko at virtuozzo.com
Mon Oct 4 17:42:52 MSK 2021 

From: Valeriy Vdovin <valeriy.vdovin at virtuozzo.com>

The flag 'trusted' is needed to implement a check if a priviledged
(VE0's) process can run code from a particular block device.

The aim of the check is to prohibit processes from VE0 to execute
binaries stored on Container's filesystems as it's a potential security
hole.

In VZ7 we detected Container's block devices by checking dev
major/minor - PLOOP_DEV_MAJOR means "ploop" and the execution must be
prohibited by default.

In VZ8 there is no PLOOP_DEV_MAJOR constant, because it's implemented
via device mapper, leaving us with no way to deduce if it the file
belongs to Container image or not.

The flag 'trusted' in genhd comes to help here, because Container
manager (read "vzctl/prlctl/ploop tool") can set the mounted Container
image as untrusted, making the check for genhd->trusted an equivalent
check to ploop major.

By default all block devices are marked as "trusted", i.e. VE0 processes
can run binaries stored on them.

To mark a block device "untrusted":

 # ls -l /dev/mapper/ploop18495
   <skipped> /dev/mapper/ploop18495 -> ../dm-18495
 # echo 0 > /sys/devices/virtual/block/dm-18495/vz_trusted_exec

https://jira.sw.ru/browse/PSBM-129741

Signed-off-by: Valeriy Vdovin <valeriy.vdovin at virtuozzo.com>

Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Reviewed-by: Konstantin Khorenko <khorenko at virtuozzo.com>

(cherry picked from vz8 commit fc68f694ce2442b239f30212e936ebf42ea2962d)
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
 block/genhd.c         | 39 +++++++++++++++++++++++++++++++++++++++
 include/linux/genhd.h |  4 ++++
 2 files changed, 43 insertions(+)

diff --git a/block/genhd.c b/block/genhd.c
index a89b3ea..c8843b5 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -987,12 +987,49 @@ static ssize_t disk_discard_alignment_show(struct device *dev,
 	return sprintf(buf, "%d\n", queue_discard_alignment(disk->queue));
 }
 
+static ssize_t disk_vz_trusted_exec_store(struct device *dev,
+					struct device_attribute *attr,
+					const char *buf, size_t len)
+{
+	int n, value;
+	char newline;
+
+	struct gendisk *disk = dev_to_disk(dev);
+
+	n = sscanf(buf, "%d%c", &value, &newline);
+	switch (n) {
+	case 2:
+		if (newline != '\n')
+			return -EINVAL;
+		/* fall through */
+	case 1:
+		if (value != 1 && value != 0)
+			return -EINVAL;
+		break;
+	default:
+		return -EINVAL;
+	}
+	disk->vz_trusted_exec = value;
+	return len;
+}
+
+static ssize_t disk_vz_trusted_exec_show(struct device *dev,
+			struct device_attribute *attr,
+			char *buf)
+{
+	struct gendisk *disk = dev_to_disk(dev);
+
+	return sprintf(buf, "%d\n", disk->vz_trusted_exec ? 1 : 0);
+}
+
 static DEVICE_ATTR(range, 0444, disk_range_show, NULL);
 static DEVICE_ATTR(ext_range, 0444, disk_ext_range_show, NULL);
 static DEVICE_ATTR(removable, 0444, disk_removable_show, NULL);
 static DEVICE_ATTR(hidden, 0444, disk_hidden_show, NULL);
 static DEVICE_ATTR(ro, 0444, disk_ro_show, NULL);
 static DEVICE_ATTR(size, 0444, part_size_show, NULL);
+static DEVICE_ATTR(vz_trusted_exec, 0644, disk_vz_trusted_exec_show,
+	disk_vz_trusted_exec_store);
 static DEVICE_ATTR(alignment_offset, 0444, disk_alignment_offset_show, NULL);
 static DEVICE_ATTR(discard_alignment, 0444, disk_discard_alignment_show, NULL);
 static DEVICE_ATTR(capability, 0444, disk_capability_show, NULL);
@@ -1044,6 +1081,7 @@ ssize_t part_fail_store(struct device *dev,
 	&dev_attr_events.attr,
 	&dev_attr_events_async.attr,
 	&dev_attr_events_poll_msecs.attr,
+	&dev_attr_vz_trusted_exec.attr,
 #ifdef CONFIG_FAIL_MAKE_REQUEST
 	&dev_attr_fail.attr,
 #endif
@@ -1277,6 +1315,7 @@ struct gendisk *__alloc_disk_node(int minors, int node_id)
 		goto out_destroy_part_tbl;
 
 	disk->minors = minors;
+	disk->vz_trusted_exec = true;
 	rand_initialize_disk(disk);
 	disk_to_dev(disk)->class = &block_class;
 	disk_to_dev(disk)->type = &disk_type;
diff --git a/include/linux/genhd.h b/include/linux/genhd.h
index 13b3417..8abb118 100644
--- a/include/linux/genhd.h
+++ b/include/linux/genhd.h
@@ -172,6 +172,10 @@ struct gendisk {
 	int node_id;
 	struct badblocks *bb;
 	struct lockdep_map lockdep_map;
+	/*
+	 * if trusted, allow code execution from this disk
+	 */
+	bool vz_trusted_exec;
 };
 
 /*
-- 
1.8.3.1

More information about the Devel mailing list