[Devel] [PATCH RHEL10 COMMIT] fs: enforce cgroup permissions for bdevs on mount

Konstantin Khorenko khorenko at virtuozzo.com
Fri Nov 21 15:20:23 MSK 2025 

The commit is pushed to "branch-rh10-6.12.0-55.13.1.2.x.vz10-ovz" and will appear at git at bitbucket.org:openvz/vzkernel.git
after rh10-6.12.0-55.13.1.2.20.vz10
------>
commit da21922b3e42b7f9301b2e91097fbb136d560109
Author: Aleksei Oladko <aleksey.oladko at virtuozzo.com>
Date:   Thu Nov 20 12:44:12 2025 +0000

    fs: enforce cgroup permissions for bdevs on mount
    
    In mount operations, cgroup device access permissions are checked only
    when a new super_block is created. If the device has already been mounted,
    no permission check is performed since the super_block already exists.
    As a result, a process belonging to a cgroup without access permissions
    to the device can still perform a mount operation successfully.
    
    To reproduce:
     # mount /dev/loop0 /mnt/test0
     # echo $$ > /sys/fs/cgroup/machine.slice/CTID/cgroup.procs
     # mount /dev/loop0 /mnt/test1
     #
    
    If the device was not mounted before, the mount operation fails
    as expected:
     # echo $$ > /sys/fs/cgroup/machine.slice/CTID/cgroup.procs
     # mount /dev/loop0 /mnt/test1
     mount: /mnt/test1: permission denied.
    
    This patch adds a cgroup permission check for the mounting process
    before obtaining the device's super_block. As a result, even if the
    device has already been mounted and the super_block exists, the mount
    operation will be denied when the process lacks the appropriate cgroup
    permissions.
    
    https://virtuozzo.atlassian.net/browse/VSTOR-105978
    
    Signed-off-by: Aleksei Oladko <aleksey.oladko at virtuozzo.com>
    Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
    
    Feature: fs: whiltelist what can be mounted in a CT
    
    ======
    Patchset description:
    cgroup/devices: Fix missing permission
    
    This fixes an issue in the cgroup device controller where device access
    checks were not enforced if he cgroup filesystem was already mounted
    before. As a result, processes could bypass device access
    restrictions.
---
 block/blk.h            |  1 -
 drivers/mtd/mtdsuper.c |  2 +-
 fs/super.c             | 19 ++++++++++++++++++-
 include/linux/blkdev.h |  1 +
 include/linux/fs.h     |  1 +
 5 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/block/blk.h b/block/blk.h
index c718e4291db06..8610d87e50505 100644
--- a/block/blk.h
+++ b/block/blk.h
@@ -727,7 +727,6 @@ static inline void bio_issue_init(struct bio_issue *issue,
 void bdev_release(struct file *bdev_file);
 int bdev_open(struct block_device *bdev, blk_mode_t mode, void *holder,
 	      const struct blk_holder_ops *hops, struct file *bdev_file);
-int bdev_permission(dev_t dev, blk_mode_t mode, void *holder);
 
 void blk_integrity_generate(struct bio *bio);
 void blk_integrity_verify(struct bio *bio);
diff --git a/drivers/mtd/mtdsuper.c b/drivers/mtd/mtdsuper.c
index b7e3763c47f0c..417f11bdbf0b5 100644
--- a/drivers/mtd/mtdsuper.c
+++ b/drivers/mtd/mtdsuper.c
@@ -30,7 +30,7 @@ static int mtd_get_sb(struct fs_context *fc,
 	struct super_block *sb;
 	int ret;
 
-	sb = sget_dev(fc, MKDEV(MTD_BLOCK_MAJOR, mtd->index));
+	sb = _sget_dev(fc, MKDEV(MTD_BLOCK_MAJOR, mtd->index));
 	if (IS_ERR(sb))
 		return PTR_ERR(sb);
 
diff --git a/fs/super.c b/fs/super.c
index faf37790544e6..2c266c869312f 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -1400,11 +1400,23 @@ static int super_s_dev_test(struct super_block *s, struct fs_context *fc)
  * Return: an existing or newly created superblock on success, an error
  *         pointer on failure.
  */
-struct super_block *sget_dev(struct fs_context *fc, dev_t dev)
+struct super_block *_sget_dev(struct fs_context *fc, dev_t dev)
 {
 	fc->sget_key = &dev;
 	return sget_fc(fc, super_s_dev_test, super_s_dev_set);
 }
+EXPORT_SYMBOL(_sget_dev);
+
+struct super_block *sget_dev(struct fs_context *fc, dev_t dev)
+{
+	int ret;
+
+	blk_mode_t mode = sb_open_mode(fc->sb_flags) | BLK_OPEN_MOUNT;
+	ret = bdev_permission(dev, mode, fc);
+	if (ret)
+		return ERR_PTR(ret);
+	return _sget_dev(fc, dev);
+}
 EXPORT_SYMBOL(sget_dev);
 
 #ifdef CONFIG_BLOCK
@@ -1722,6 +1734,11 @@ struct dentry *mount_bdev(struct file_system_type *fs_type,
 	if (error)
 		return ERR_PTR(error);
 
+	/* Check cgroup permissions before getting super_block */
+	error = bdev_permission(dev, sb_open_mode(flags) | BLK_OPEN_MOUNT, data);
+	if (error)
+		return ERR_PTR(error);
+
 	flags |= SB_NOSEC;
 	s = sget(fs_type, test_bdev_super, set_bdev_super, flags, &dev);
 	if (IS_ERR(s))
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
index 64c28dbb44b48..4a66f6aa0441d 100644
--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -1666,6 +1666,7 @@ struct file *bdev_file_open_by_path(const char *path, blk_mode_t mode,
 int bd_prepare_to_claim(struct block_device *bdev, void *holder,
 		const struct blk_holder_ops *hops);
 void bd_abort_claiming(struct block_device *bdev, void *holder);
+int bdev_permission(dev_t dev, blk_mode_t mode, void *holder);
 
 /* just for blk-cgroup, don't use elsewhere */
 struct block_device *blkdev_get_no_open(dev_t dev);
diff --git a/include/linux/fs.h b/include/linux/fs.h
index b6f7809cad29a..13528ccf09b76 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2608,6 +2608,7 @@ struct super_block *sget(struct file_system_type *type,
 			int (*set)(struct super_block *,void *),
 			int flags, void *data);
 struct super_block *sget_dev(struct fs_context *fc, dev_t dev);
+struct super_block *_sget_dev(struct fs_context *fc, dev_t dev);
 
 /* Alas, no aliases. Too much hassle with bringing module.h everywhere */
 #define fops_get(fops) ({						\

More information about the Devel mailing list