• Paolo Bonzini's avatar
    block: fail SCSI passthrough ioctls on partition devices · 0bfc96cb
    Paolo Bonzini authored
    Linux allows executing the SG_IO ioctl on a partition or LVM volume, and
    will pass the command to the underlying block device.  This is
    well-known, but it is also a large security problem when (via Unix
    permissions, ACLs, SELinux or a combination thereof) a program or user
    needs to be granted access only to part of the disk.
    
    This patch lets partitions forward a small set of harmless ioctls;
    others are logged with printk so that we can see which ioctls are
    actually sent.  In my tests only CDROM_GET_CAPABILITY actually occurred.
    Of course it was being sent to a (partition on a) hard disk, so it would
    have failed with ENOTTY and the patch isn't changing anything in
    practice.  Still, I'm treating it specially to avoid spamming the logs.
    
    In principle, this restriction should include programs running with
    CAP_SYS_RAWIO.  If for example I let a program access /dev/sda2 and
    /dev/sdb, it still should not be able to read/write outside the
    boundaries of /dev/sda2 independent of the capabilities.  However, for
    now programs with CAP_SYS_RAWIO will still be allowed to send the
    ioctls.  Their actions will still be logged.
    
    This patch does not affect the non-libata IDE driver.  That driver
    however already tests for bd != bd->bd_contains before issuing some
    ioctl; it could be restricted further to forbid these ioctls even for
    programs running with CAP_SYS_ADMIN/CAP_SYS_RAWIO.
    
    Cc: linux-scsi@vger.kernel.org
    Cc: Jens Axboe <axboe@kernel.dk>
    Cc: James Bottomley <JBottomley@parallels.com>
    Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
    [ Make it also print the command name when warning - Linus ]
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    0bfc96cb
scsi_ioctl.c 19.6 KB