[SRU][X][CVE-2020-25284][PATCH 1/1] rbd: require global CAP_SYS_ADMIN for mapping and unmapping

[William Breathitt Gray]

From: Ilya Dryomov <idryomov at gmail.com>

It turns out that currently we rely only on sysfs attribute
permissions:

  $ ll /sys/bus/rbd/{add*,remove*}
  --w------- 1 root root 4096 Sep  3 20:37 /sys/bus/rbd/add
  --w------- 1 root root 4096 Sep  3 20:37 /sys/bus/rbd/add_single_major
  --w------- 1 root root 4096 Sep  3 20:37 /sys/bus/rbd/remove
  --w------- 1 root root 4096 Sep  3 20:38 /sys/bus/rbd/remove_single_major

This means that images can be mapped and unmapped (i.e. block devices
can be created and deleted) by a UID 0 process even after it drops all
privileges or by any process with CAP_DAC_OVERRIDE in its user namespace
as long as UID 0 is mapped into that user namespace.

Be consistent with other virtual block devices (loop, nbd, dm, md, etc)
and require CAP_SYS_ADMIN in the initial user namespace for mapping and
unmapping, and also for dumping the configuration string and refreshing
the image header.

Cc: stable at vger.kernel.org
Signed-off-by: Ilya Dryomov <idryomov at gmail.com>
Reviewed-by: Jeff Layton <jlayton at kernel.org>

CVE-2020-25284

(backported from commit f44d04e696feaf13d192d942c4f14ad2e117065a)
[ vilhelmgray: Remove changes for sysfs attr that do not exist ]
Signed-off-by: William Breathitt Gray <william.gray at canonical.com>
---
 drivers/block/rbd.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
index 995d9c432744..80050ab66080 100644
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -3945,6 +3945,9 @@ static ssize_t rbd_image_refresh(struct device *dev,
 	struct rbd_device *rbd_dev = dev_to_rbd_dev(dev);
 	int ret;
 
+	if (!capable(CAP_SYS_ADMIN))
+		return -EPERM;
+
 	ret = rbd_dev_refresh(rbd_dev);
 	if (ret)
 		return ret;
-- 
2.25.1