ACK: [SRU][F/B/X][CVE-2020-25284][PATCH v2 0/1] rbd: require global CAP_SYS_ADMIN for mapping and unmapping
Colin Ian King
colin.king at canonical.com
Fri Sep 25 17:02:13 UTC 2020
On 25/09/2020 17:30, William Breathitt Gray wrote:
> SRU Justification
> =================
>
> [Impact]
>
> The rbd block device driver in drivers/block/rbd.c in the Linux kernel
> through 5.8.9 used incomplete permission checking for access to rbd
> devices, which could be leveraged by local attackers to map or unmap rbd
> block devices, aka CID-f44d04e696fe.
>
> [Regression Potential]
>
> Regression potential is low. This fix simply checks if the proper
> permission is held; the only users affected by this change will be those
> who should not have access to rbd devices in the first place.
>
> [Miscellaneous]
>
> It's a simple cherry-pick for Focal and Bionic. The Xenial backport
> consisted of just removing the changes for sysfs attributes that do not
> exist in Xenial, and making minor context adjustments.
>
> Ilya Dryomov (1):
> rbd: require global CAP_SYS_ADMIN for mapping and unmapping
>
> drivers/block/rbd.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
Looks good to me. Thanks William
Acked-by: Colin Ian King <colin.king at canonical.com>
More information about the kernel-team
mailing list