On Fri, Jan 27, 2012 at 05:56:54PM +0100, Paolo Bonzini wrote: > commit 0bfc96cb77224736dfa35c3c555d37b3646ef35e upstream. > > Linux allows executing the SG_IO ioctl on a partition or LVM volume, and > will pass the command to the underlying block device. This is > well-known, but it is also a large security problem when (via Unix > permissions, ACLs, SELinux or a combination thereof) a program or user > needs to be granted access only to part of the disk. > > This patch lets partitions forward a small set of harmless ioctls; > others are logged with printk so that we can see which ioctls are > actually sent. In my tests only CDROM_GET_CAPABILITY actually occurred. > Of course it was being sent to a (partition on a) hard disk, so it would > have failed with ENOTTY and the patch isn't changing anything in > practice. Still, I'm treating it specially to avoid spamming the logs. > > In principle, this restriction should include programs running with > CAP_SYS_RAWIO. If for example I let a program access /dev/sda2 and > /dev/sdb, it still should not be able to read/write outside the > boundaries of /dev/sda2 independent of the capabilities. However, for > now programs with CAP_SYS_RAWIO will still be allowed to send the > ioctls. Their actions will still be logged. > > This patch does not affect the non-libata IDE driver. That driver > however already tests for bd != bd->bd_contains before issuing some > ioctl; it could be restricted further to forbid these ioctls even for > programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO. > > Cc: linux-scsi@xxxxxxxxxxxxxxx > Cc: Jens Axboe <axboe@xxxxxxxxx> > Cc: James Bottomley <JBottomley@xxxxxxxxxxxxx> > Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx> > [ Make it also print the command name when warning - Linus ] > Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> > > [ Changes with respect to 3.3: return -ENOTTY from scsi_verify_blk_ioctl > and -ENOIOCTLCMD from sd_compat_ioctl. ] Thanks, I've replaced the version in the 2.6.32-stable queue with this one. greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
