From: "Colin Walters" <walters@verbum.org>
To: "Bart Van Assche" <bvanassche@acm.org>, "Jan Kara" <jack@suse.cz>,
"Jens Axboe" <axboe@kernel.dk>
Cc: linux-block@vger.kernel.org,
"Christoph Hellwig" <hch@infradead.org>,
"Dmitry Vyukov" <dvyukov@google.com>,
"Theodore Ts'o" <tytso@mit.edu>, yebin <yebin@huaweicloud.com>,
linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH] block: Add config option to not allow writing to mounted devices
Date: Mon, 12 Jun 2023 14:52:54 -0400 [thread overview]
Message-ID: <a6c355f7-8c60-4aab-8f0c-5c6310f9c2a8@betaapp.fastmail.com> (raw)
In-Reply-To: <2f629dc3-fe39-624f-a2fe-d29eee1d2b82@acm.org>
On Mon, Jun 12, 2023, at 1:39 PM, Bart Van Assche wrote:
> On 6/12/23 09:25, Jan Kara wrote:
>> On Mon 12-06-23 18:16:14, Jan Kara wrote:
>>> Writing to mounted devices is dangerous and can lead to filesystem
>>> corruption as well as crashes. Furthermore syzbot comes with more and
>>> more involved examples how to corrupt block device under a mounted
>>> filesystem leading to kernel crashes and reports we can do nothing
>>> about. Add config option to disallow writing to mounted (exclusively
>>> open) block devices. Syzbot can use this option to avoid uninteresting
>>> crashes. Also users whose userspace setup does not need writing to
>>> mounted block devices can set this config option for hardening.
>>>
>>> Link: https://lore.kernel.org/all/60788e5d-5c7c-1142-e554-c21d709acfd9@linaro.org
>>> Signed-off-by: Jan Kara <jack@suse.cz>
>>
>> Please disregard this patch. I had uncommited fixups in my tree. I'll send
>> fixed version shortly. I'm sorry for the noise.
>
> Have alternatives been configured to making this functionality configurable
> at build time only? How about a kernel command line parameter instead of a
> config option?
It's not just syzbot here; at least once in my life I accidentally did `dd if=/path/to/foo.iso of=/dev/sda` when `/dev/sda` was my booted disk and not the target USB device. I know I'm not alone =)
There's a lot of similar accidental-damage protection from this. Another stronger argument here is that if one has a security policy that restricts access to filesystem level objects, if a process can somehow write to a mounted block device, it effectively subverts all of those controls.
Right now it looks to me we're invoking devcgroup_check_permission pretty early on; maybe we could extend the device cgroup stuff to have a new check for write-mounted, like
```
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index c994ff5b157c..f2af33c5acc1 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -6797,6 +6797,7 @@ enum {
BPF_DEVCG_ACC_MKNOD = (1ULL << 0),
BPF_DEVCG_ACC_READ = (1ULL << 1),
BPF_DEVCG_ACC_WRITE = (1ULL << 2),
+ BPF_DEVCG_ACC_WRITE_MOUNTED = (1ULL << 3),
};
enum {
```
? But probably this would need to be some kind of opt-in flag to avoid breaking existing bpf progs?
If it was configurable via the device cgroup, then it's completely flexible from userspace; most specifically including supporting some specially privileged processes from doing it if necessary.
Also, I wonder if we should also support restricting *reads* from mounted block devices?
next prev parent reply other threads:[~2023-06-12 18:53 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-12 16:16 [PATCH] block: Add config option to not allow writing to mounted devices Jan Kara
2023-06-12 16:25 ` Jan Kara
2023-06-12 17:39 ` Bart Van Assche
2023-06-12 17:47 ` Theodore Ts'o
2023-06-12 18:52 ` Colin Walters [this message]
2023-06-13 11:34 ` Jan Kara
2023-06-14 1:55 ` Darrick J. Wong
2023-06-14 7:14 ` Christoph Hellwig
2023-06-14 7:05 ` Christian Brauner
2023-06-14 7:07 ` Christoph Hellwig
2023-06-14 7:10 ` Christoph Hellwig
2023-06-14 10:12 ` Jan Kara
2023-06-14 14:30 ` Christoph Hellwig
2023-06-14 14:46 ` Matthew Wilcox
2023-06-13 4:56 ` kernel test robot
2023-06-13 5:10 ` Christoph Hellwig
2023-06-13 6:09 ` Dmitry Vyukov
2023-06-14 7:17 ` Christoph Hellwig
2023-06-14 8:18 ` Christian Brauner
2023-06-14 10:36 ` Jan Kara
2023-06-14 12:48 ` Christian Brauner
2023-06-15 14:39 ` Jan Kara
2023-06-14 14:31 ` Christoph Hellwig
2023-06-13 20:56 ` Jan Kara
2023-06-14 7:20 ` Christoph Hellwig
2023-06-20 10:41 ` Jan Kara
2023-06-20 11:29 ` Christoph Hellwig
2023-06-14 7:35 ` Christian Brauner
2023-06-13 6:49 ` Dmitry Vyukov
2023-06-13 19:22 ` Theodore Ts'o
2023-06-14 0:26 ` Dave Chinner
2023-06-14 2:04 ` Darrick J. Wong
2023-06-14 2:57 ` Theodore Ts'o
2023-06-14 12:27 ` Dmitry Vyukov
2023-06-14 23:38 ` Dave Chinner
2023-06-15 9:14 ` Dmitry Vyukov
2023-06-18 23:35 ` Dave Chinner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a6c355f7-8c60-4aab-8f0c-5c6310f9c2a8@betaapp.fastmail.com \
--to=walters@verbum.org \
--cc=axboe@kernel.dk \
--cc=bvanassche@acm.org \
--cc=dvyukov@google.com \
--cc=hch@infradead.org \
--cc=jack@suse.cz \
--cc=linux-block@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=tytso@mit.edu \
--cc=yebin@huaweicloud.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).