Commit f44d04e
committed
rbd: require global CAP_SYS_ADMIN for mapping and unmapping
It turns out that currently we rely only on sysfs attribute
permissions:
$ ll /sys/bus/rbd/{add*,remove*}
--w------- 1 root root 4096 Sep 3 20:37 /sys/bus/rbd/add
--w------- 1 root root 4096 Sep 3 20:37 /sys/bus/rbd/add_single_major
--w------- 1 root root 4096 Sep 3 20:37 /sys/bus/rbd/remove
--w------- 1 root root 4096 Sep 3 20:38 /sys/bus/rbd/remove_single_major
This means that images can be mapped and unmapped (i.e. block devices
can be created and deleted) by a UID 0 process even after it drops all
privileges or by any process with CAP_DAC_OVERRIDE in its user namespace
as long as UID 0 is mapped into that user namespace.
Be consistent with other virtual block devices (loop, nbd, dm, md, etc)
and require CAP_SYS_ADMIN in the initial user namespace for mapping and
unmapping, and also for dumping the configuration string and refreshing
the image header.
Cc: stable@vger.kernel.org
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>1 parent f4d51df commit f44d04e
1 file changed
Lines changed: 12 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
5120 | 5120 | | |
5121 | 5121 | | |
5122 | 5122 | | |
| 5123 | + | |
| 5124 | + | |
| 5125 | + | |
5123 | 5126 | | |
5124 | 5127 | | |
5125 | 5128 | | |
| |||
5231 | 5234 | | |
5232 | 5235 | | |
5233 | 5236 | | |
| 5237 | + | |
| 5238 | + | |
| 5239 | + | |
5234 | 5240 | | |
5235 | 5241 | | |
5236 | 5242 | | |
| |||
7059 | 7065 | | |
7060 | 7066 | | |
7061 | 7067 | | |
| 7068 | + | |
| 7069 | + | |
| 7070 | + | |
7062 | 7071 | | |
7063 | 7072 | | |
7064 | 7073 | | |
| |||
7209 | 7218 | | |
7210 | 7219 | | |
7211 | 7220 | | |
| 7221 | + | |
| 7222 | + | |
| 7223 | + | |
7212 | 7224 | | |
7213 | 7225 | | |
7214 | 7226 | | |
| |||
0 commit comments