lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Y9qQ9i6rNvJWPbV+@itl-email>
Date:   Wed, 1 Feb 2023 11:18:54 -0500
From:   Demi Marie Obenour <demi@...isiblethingslab.com>
To:     Christoph Hellwig <hch@...radead.org>
Cc:     Jens Axboe <axboe@...nel.dk>,
        Marek Marczykowski-Górecki 
        <marmarek@...isiblethingslab.com>, linux-block@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH 1/7] block: Support creating a struct file from a
 block device

On Tue, Jan 31, 2023 at 11:45:55PM -0800, Christoph Hellwig wrote:
> On Tue, Jan 31, 2023 at 11:27:59AM -0500, Demi Marie Obenour wrote:
> > While it is easy to provide userspace with an FD to any struct file, it
> > is *not* easy to obtain a struct file for a given struct block_device.
> > I could have had device-mapper implement everything itself, but that
> > would have duplicated a large amount of code already in the block layer.
> > Instead, I decided to refactor the block layer to provide a function
> > that does exactly what was needed.  The result was this patch.  In the
> > future, I would like to add an ioctl for /dev/loop-control that creates
> > a loop device and returns a file descriptor to the loop device.  I could
> > also see iSCSI supporting this, with the socket file descriptor being
> > passed in from userspace.
> 
> And it is somewhat intentional that you can't.  Block device inodes
> have interesting life times and are never directly exposed to userspace
> at all.  They are internal, and only f_mapping of a file system inode
> delegates to them or I/O.  Your patch now magically exposes them to
> userspace.

The intention is that the file descriptor is equvalent to what one would
get by first creating the device and then opening it.  If it is not,
that is a bug in one of my patches.

> And it then bypasses all pathname and inode permission
> based access checks and auditing.  So we can't just do it.

Accessing /dev/mapper/control is already enough to panic the kernel, so
presumably only fully trusted userspace can make the ioctl to begin
with.  Furthermore, this only allows a userspace process to get a file
descriptor to the device-mapper device it itself created.

> > blkdev_do_open() does not solve any problem for me at this time.
> > Instead, it represents the code shared by blkdev_get_by_dev() and
> > blkdev_get_file().  I decided to export it because it could be of
> > independent use to others.  In particular, it could potentially
> > simplify disk_scan_partitions() in block/genhd.c, pkt_new_dev() in
> > pktcdvd, backing_dev_store() in zram, and f2fs_scan_devices() in f2fs.
> 
> All thse need to actually open the underlying device as they do I/O.
> Doing I/O without opening the device is a no-go.

blkdev_do_open() *does* open the device.  If it doesn’t, that’s a bug.
In v2 I will add the same access control checks that blkdev_get_by_dev()
does.  Is this sufficient?
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ