[PATCH] xfs: disallow ro->rw remount on norecovery mount

[PATCH] xfs: disallow ro->rw remount on norecovery mount

[Eric Sandeen]

There's a bit of a loophole in norecovery mount handling right
now: an initial mount must be readonly, but nothing prevents
a mount -o remount,rw from producing a writable, unrecovered
xfs filesystem.

It might be possible to try to perform a log recovery when this
is requested, but I'm not sure it's worth the effort.  For now,
simply disallow this sort of transition.

Signed-off-by: Eric Sandeen <sandeen@redhat.com>
---

diff --git a/fs/xfs/xfs_super.c b/fs/xfs/xfs_super.c
index 8fcc4cc..a6cc7a9 100644
--- a/fs/xfs/xfs_super.c
+++ b/fs/xfs/xfs_super.c
@@ -1256,6 +1256,12 @@ xfs_fs_remount(
 
 	/* ro -> rw */
 	if ((mp->m_flags & XFS_MOUNT_RDONLY) && !(*flags & MS_RDONLY)) {
+		if (mp->m_flags & XFS_MOUNT_NORECOVERY) {
+			xfs_warn(mp,
+		"ro->rw transition prohibited on norecovery mount");
+			return -EINVAL;
+		}
+
 		mp->m_flags &= ~XFS_MOUNT_RDONLY;
 
 		/*

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

Re: [PATCH] xfs: disallow ro->rw remount on norecovery mount

[Dave Chinner]

On Thu, Mar 26, 2015 at 03:03:30PM -0500, Eric Sandeen wrote:
> There's a bit of a loophole in norecovery mount handling right
> now: an initial mount must be readonly, but nothing prevents
> a mount -o remount,rw from producing a writable, unrecovered
> xfs filesystem.
> 
> It might be possible to try to perform a log recovery when this
> is requested, but I'm not sure it's worth the effort.  For now,
> simply disallow this sort of transition.
> 
> Signed-off-by: Eric Sandeen <sandeen@redhat.com>

Good catch.

Shouldn't this also check for a ro block device, and disallow the
rw remount if the block dev is ro?

Cheers,

Dave.
-- 
Dave Chinner
david@fromorbit.com

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs

Re: [PATCH] xfs: disallow ro->rw remount on norecovery mount

[Eric Sandeen]

On 3/26/15 3:59 PM, Dave Chinner wrote:
> On Thu, Mar 26, 2015 at 03:03:30PM -0500, Eric Sandeen wrote:
>> There's a bit of a loophole in norecovery mount handling right
>> now: an initial mount must be readonly, but nothing prevents
>> a mount -o remount,rw from producing a writable, unrecovered
>> xfs filesystem.
>>
>> It might be possible to try to perform a log recovery when this
>> is requested, but I'm not sure it's worth the effort.  For now,
>> simply disallow this sort of transition.
>>
>> Signed-off-by: Eric Sandeen <sandeen@redhat.com>
> 
> Good catch.
> 
> Shouldn't this also check for a ro block device, and disallow the
> rw remount if the block dev is ro?

Seems to be covered already:

# blockdev --setro /dev/sdb1 
# mount /dev/sdb1 /mnt/test
mount: block device /dev/sdb1 is write-protected, mounting read-only
# grep sdb1 /proc/mounts
/dev/sdb1 /mnt/test xfs ro,seclabel,relatime,attr2,inode64,noquota 0 0

# mount -o remount,rw /mnt/test
mount: cannot remount block device /dev/sdb1 read-write, is write-protected

from strace:

mount("/dev/sdb1", "/mnt/test", 0x7ff230271d90, MS_MGC_VAL|MS_REMOUNT, NULL) = -1 EACCES (Permission denied)

Ah, from fs/super.c:

do_remount_sb()

...

#ifdef CONFIG_BLOCK
        if (!(flags & MS_RDONLY) && bdev_read_only(sb->s_bdev))
                return -EACCES;
#endif

-Eric

_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs