From mboxrd@z Thu Jan 1 00:00:00 1970 From: Seth Forshee Subject: [PATCH v2 2/7] block_dev: Check permissions towards block device inode when mounting Date: Tue, 13 Oct 2015 12:04:15 -0500 Message-ID: <1444755861-54997-3-git-send-email-seth.forshee@canonical.com> References: <1444755861-54997-1-git-send-email-seth.forshee@canonical.com> Cc: Serge Hallyn , Andy Lutomirski , linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov, linux-kernel@vger.kernel.org, linux-mtd@lists.infradead.org, linux-bcache@vger.kernel.org, dm-devel@redhat.com, linux-raid@vger.kernel.org, Seth Forshee To: "Eric W. Biederman" , Alexander Viro Return-path: In-Reply-To: <1444755861-54997-1-git-send-email-seth.forshee@canonical.com> Sender: linux-bcache-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org Unprivileged users should not be able to mount block devices when they lack sufficient privileges towards the block device inode. Update blkdev_get_by_path() to validate that the user has the required access to the inode at the specified path. The check will be skipped for CAP_SYS_ADMIN, so privileged mounts will continue working as before. Signed-off-by: Seth Forshee --- fs/block_dev.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fs/block_dev.c b/fs/block_dev.c index f1f0aa7214a3..54d94cd64577 100644 --- a/fs/block_dev.c +++ b/fs/block_dev.c @@ -1394,9 +1394,14 @@ struct block_device *blkdev_get_by_path(const char *path, fmode_t mode, void *holder) { struct block_device *bdev; + int perm = 0; int err; - bdev = lookup_bdev(path, 0); + if (mode & FMODE_READ) + perm |= MAY_READ; + if (mode & FMODE_WRITE) + perm |= MAY_WRITE; + bdev = lookup_bdev(path, perm); if (IS_ERR(bdev)) return bdev; -- 1.9.1