From: Chris Wright <chrisw@sous-sol.org>
To: Andrew Morton <akpm@linux-foundataion.org>,
Al Viro <viro@ZenIV.linux.org.uk>,
"Serge E. Hallyn" <serge.hallyn@canonical.com>,
Christoph Hellwig <hch@infradead.org>
Cc: "Daniel P. Berrange" <berrange@redhat.com>, linux-kernel@vger.kernel.org
Subject: [PATCH] blkdev: cgroup whitelist permission fix
Date: Thu, 22 Jul 2010 17:03:48 -0700 [thread overview]
Message-ID: <20100723000348.GD24905@sequoia.sous-sol.org> (raw)
The cgroup device whitelist code gets confused when trying to grant
permission to a disk partition that is not currently open. Part of
blkdev_open() includes __blkdev_get() on the whole disk. This simply
avoids the cgroup check for the whole disk case when opening a
partition. This bug describes the details.
https://bugzilla.redhat.com/show_bug.cgi?id=589662
Basically, the only ways to reliably allow a cgroup access to a partition
on a block device when using the whitelist are to 1) also give it access
to the whole block device or 2) make sure the partition is already open
in a different context.
Seems valid for 2.6.35 and -stable to me, as it's currently broken and
causes libvirt's container support to fail.
Acked-by: Serge E. Hallyn <serue@us.ibm.com>
Tested-by: Serge E. Hallyn <serue@us.ibm.com>
Cc: stable@kernel.org
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
fs/block_dev.c | 10 ++++++----
1 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/fs/block_dev.c b/fs/block_dev.c
index 7346c96..09b107e 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -1315,10 +1315,12 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part)
/*
* hooks: /n/, see "layering violations".
*/
- ret = devcgroup_inode_permission(bdev->bd_inode, perm);
- if (ret != 0) {
- bdput(bdev);
- return ret;
+ if (!for_part) {
+ ret = devcgroup_inode_permission(bdev->bd_inode, perm);
+ if (ret != 0) {
+ bdput(bdev);
+ return ret;
+ }
}
lock_kernel();
next reply other threads:[~2010-07-23 0:04 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-23 0:03 Chris Wright [this message]
-- strict thread matches above, loose matches on Subject: below --
2010-06-04 20:15 [PATCH] blkdev: cgroup whitelist permission fix Chris Wright
2010-07-15 15:54 ` Chris Wright
2010-05-14 7:40 Chris Wright
2010-05-18 4:45 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100723000348.GD24905@sequoia.sous-sol.org \
--to=chrisw@sous-sol.org \
--cc=akpm@linux-foundataion.org \
--cc=berrange@redhat.com \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=serge.hallyn@canonical.com \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.