[Devel] [PATCH RHEL COMMIT] trusted/block: Added trusted flag to struct genhd

Konstantin Khorenko khorenko at virtuozzo.com
Mon Oct 4 21:40:59 MSK 2021 

The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit 2170d60078cef85e6a0841aab038f46922cba7b8
Author: Valeriy Vdovin <valeriy.vdovin at virtuozzo.com>
Date:   Mon Oct 4 21:40:59 2021 +0300

    trusted/block: Added trusted flag to struct genhd
    
    The flag 'trusted' is needed to implement a check if a priviledged
    (VE0's) process can run code from a particular block device.
    
    The aim of the check is to prohibit processes from VE0 to execute
    binaries stored on Container's filesystems as it's a potential security
    hole.
    
    In VZ7 we detected Container's block devices by checking dev
    major/minor - PLOOP_DEV_MAJOR means "ploop" and the execution must be
    prohibited by default.
    
    In VZ8 there is no PLOOP_DEV_MAJOR constant, because it's implemented
    via device mapper, leaving us with no way to deduce if it the file
    belongs to Container image or not.
    
    The flag 'trusted' in genhd comes to help here, because Container
    manager (read "vzctl/prlctl/ploop tool") can set the mounted Container
    image as untrusted, making the check for genhd->trusted an equivalent
    check to ploop major.
    
    By default all block devices are marked as "trusted", i.e. VE0 processes
    can run binaries stored on them.
    
    To mark a block device "untrusted":
    
     # ls -l /dev/mapper/ploop18495
       <skipped> /dev/mapper/ploop18495 -> ../dm-18495
     # echo 0 > /sys/devices/virtual/block/dm-18495/vz_trusted_exec
    
    https://jira.sw.ru/browse/PSBM-129741
    
    Signed-off-by: Valeriy Vdovin <valeriy.vdovin at virtuozzo.com>
    
    Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
    Reviewed-by: Konstantin Khorenko <khorenko at virtuozzo.com>
    
    (cherry picked from vz8 commit fc68f694ce2442b239f30212e936ebf42ea2962d)
    Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
 block/genhd.c         | 39 +++++++++++++++++++++++++++++++++++++++
 include/linux/genhd.h |  4 ++++
 2 files changed, 43 insertions(+)

diff --git a/block/genhd.c b/block/genhd.c
index a89b3eae6325..c8843b5669f9 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -987,12 +987,49 @@ static ssize_t disk_discard_alignment_show(struct device *dev,
 	return sprintf(buf, "%d\n", queue_discard_alignment(disk->queue));
 }
 
+static ssize_t disk_vz_trusted_exec_store(struct device *dev,
+					struct device_attribute *attr,
+					const char *buf, size_t len)
+{
+	int n, value;
+	char newline;
+
+	struct gendisk *disk = dev_to_disk(dev);
+
+	n = sscanf(buf, "%d%c", &value, &newline);
+	switch (n) {
+	case 2:
+		if (newline != '\n')
+			return -EINVAL;
+		/* fall through */
+	case 1:
+		if (value != 1 && value != 0)
+			return -EINVAL;
+		break;
+	default:
+		return -EINVAL;
+	}
+	disk->vz_trusted_exec = value;
+	return len;
+}
+
+static ssize_t disk_vz_trusted_exec_show(struct device *dev,
+			struct device_attribute *attr,
+			char *buf)
+{
+	struct gendisk *disk = dev_to_disk(dev);
+
+	return sprintf(buf, "%d\n", disk->vz_trusted_exec ? 1 : 0);
+}
+
 static DEVICE_ATTR(range, 0444, disk_range_show, NULL);
 static DEVICE_ATTR(ext_range, 0444, disk_ext_range_show, NULL);
 static DEVICE_ATTR(removable, 0444, disk_removable_show, NULL);
 static DEVICE_ATTR(hidden, 0444, disk_hidden_show, NULL);
 static DEVICE_ATTR(ro, 0444, disk_ro_show, NULL);
 static DEVICE_ATTR(size, 0444, part_size_show, NULL);
+static DEVICE_ATTR(vz_trusted_exec, 0644, disk_vz_trusted_exec_show,
+	disk_vz_trusted_exec_store);
 static DEVICE_ATTR(alignment_offset, 0444, disk_alignment_offset_show, NULL);
 static DEVICE_ATTR(discard_alignment, 0444, disk_discard_alignment_show, NULL);
 static DEVICE_ATTR(capability, 0444, disk_capability_show, NULL);
@@ -1044,6 +1081,7 @@ static struct attribute *disk_attrs[] = {
 	&dev_attr_events.attr,
 	&dev_attr_events_async.attr,
 	&dev_attr_events_poll_msecs.attr,
+	&dev_attr_vz_trusted_exec.attr,
 #ifdef CONFIG_FAIL_MAKE_REQUEST
 	&dev_attr_fail.attr,
 #endif
@@ -1277,6 +1315,7 @@ struct gendisk *__alloc_disk_node(int minors, int node_id)
 		goto out_destroy_part_tbl;
 
 	disk->minors = minors;
+	disk->vz_trusted_exec = true;
 	rand_initialize_disk(disk);
 	disk_to_dev(disk)->class = &block_class;
 	disk_to_dev(disk)->type = &disk_type;
diff --git a/include/linux/genhd.h b/include/linux/genhd.h
index 13b34177cc85..8abb11847ee0 100644
--- a/include/linux/genhd.h
+++ b/include/linux/genhd.h
@@ -172,6 +172,10 @@ struct gendisk {
 	int node_id;
 	struct badblocks *bb;
 	struct lockdep_map lockdep_map;
+	/*
+	 * if trusted, allow code execution from this disk
+	 */
+	bool vz_trusted_exec;
 };
 
 /*

More information about the Devel mailing list