Commit 7db9cfd380205f6b50afdc3bc3619f876a5eaf0d
Committed by
Linus Torvalds
Linus Torvalds
1 parent
cc9cb219aa
Exists in
master
and in
4 other branches
devscgroup: check for device permissions at mount time
Currently even if a task sits in an all-denied cgroup it can still mount any block device in any mode it wants. Put a proper check in do_open for block device to prevent this. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Acked-by: Serge Hallyn <serue@us.ibm.com> Tested-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Showing 1 changed file with 7 additions and 1 deletions Side-by-side Diff
fs/block_dev.c
| ... | ... | @@ -12,6 +12,7 @@ |
| 12 | 12 | #include <linux/kmod.h> |
| 13 | 13 | #include <linux/major.h> |
| 14 | 14 | #include <linux/smp_lock.h> |
| 15 | +#include <linux/device_cgroup.h> | |
| 15 | 16 | #include <linux/highmem.h> |
| 16 | 17 | #include <linux/blkdev.h> |
| 17 | 18 | #include <linux/module.h> |
| 18 | 19 | |
| ... | ... | @@ -928,9 +929,14 @@ |
| 928 | 929 | { |
| 929 | 930 | struct module *owner = NULL; |
| 930 | 931 | struct gendisk *disk; |
| 931 | - int ret = -ENXIO; | |
| 932 | + int ret; | |
| 932 | 933 | int part; |
| 933 | 934 | |
| 935 | + ret = devcgroup_inode_permission(bdev->bd_inode, file->f_mode); | |
| 936 | + if (ret != 0) | |
| 937 | + return ret; | |
| 938 | + | |
| 939 | + ret = -ENXIO; | |
| 934 | 940 | file->f_mapping = bdev->bd_inode->i_mapping; |
| 935 | 941 | lock_kernel(); |
| 936 | 942 | disk = get_gendisk(bdev->bd_dev, &part); |