On Tue 04-07-23 11:44:16, Eric Biggers wrote: > On Tue, Jul 04, 2023 at 02:56:49PM +0200, Jan Kara wrote: > > Writing to mounted devices is dangerous and can lead to filesystem > > corruption as well as crashes. Furthermore syzbot comes with more and > > more involved examples how to corrupt block device under a mounted > > filesystem leading to kernel crashes and reports we can do nothing > > about. Add tracking of writers to each block device and a kernel cmdline > > argument which controls whether writes to block devices open with > > BLK_OPEN_BLOCK_WRITES flag are allowed. We will make filesystems use > > this flag for used devices. > > > > Syzbot can use this cmdline argument option to avoid uninteresting > > crashes. Also users whose userspace setup does not need writing to > > mounted block devices can set this option for hardening. > > > > Link: https://lore.kernel.org/all/60788e5d-5c7c-1142-e554-c21d709acfd9@xxxxxxxxxx > > Signed-off-by: Jan Kara <jack@xxxxxxx> > > --- > > block/Kconfig | 16 ++++++++++ > > block/bdev.c | 63 ++++++++++++++++++++++++++++++++++++++- > > include/linux/blk_types.h | 1 + > > include/linux/blkdev.h | 3 ++ > > 4 files changed, 82 insertions(+), 1 deletion(-) > > > > diff --git a/block/Kconfig b/block/Kconfig > > index 86122e459fe0..8b4fa105b854 100644 > > --- a/block/Kconfig > > +++ b/block/Kconfig > > @@ -77,6 +77,22 @@ config BLK_DEV_INTEGRITY_T10 > > select CRC_T10DIF > > select CRC64_ROCKSOFT > > > > +config BLK_DEV_WRITE_MOUNTED > > + bool "Allow writing to mounted block devices" > > + default y > > + help > > + When a block device is mounted, writing to its buffer cache very likely > > + going to cause filesystem corruption. It is also rather easy to crash > > + the kernel in this way since the filesystem has no practical way of > > + detecting these writes to buffer cache and verifying its metadata > > + integrity. However there are some setups that need this capability > > + like running fsck on read-only mounted root device, modifying some > > + features on mounted ext4 filesystem, and similar. If you say N, the > > + kernel will prevent processes from writing to block devices that are > > + mounted by filesystems which provides some more protection from runaway > > + priviledged processes. If in doubt, say Y. The configuration can be > > + overridden with bdev_allow_write_mounted boot option. > > Does this prevent the underlying storage from being written to? Say if the > mounted block device is /dev/sda1 and someone tries to write to /dev/sda in the > region that contains sda1. > > I *think* the answer is no, writes to /dev/sda are still allowed since the goal > is just to prevent writes to the buffer cache of mounted block devices, not > writes to the underlying storage. That is really something that should be > stated explicitly, though. You are correct. The answer is "no" because as Ted says, there are many ways to do that anyway and for a filesystem it is generally not much different from just corrupted fs image. I'll explicitely mention it in the config text, that's a good idea. Honza -- Jan Kara <jack@xxxxxxxx> SUSE Labs, CR
