diff options
| author | csjp <csjp@FreeBSD.org> | 2005-08-17 01:24:55 +0000 |
|---|---|---|
| committer | csjp <csjp@FreeBSD.org> | 2005-08-17 01:24:55 +0000 |
| commit | faafaf70f19fb9a63ea0d522614564512b578bf6 (patch) | |
| tree | 7e6d42bfe13b5f1882a65e060c6ed5b20dd69101 /sys/dev/md | |
| parent | e7d53d1ef4a88573e6636ed147683b993b130525 (diff) | |
| download | FreeBSD-src-faafaf70f19fb9a63ea0d522614564512b578bf6.zip FreeBSD-src-faafaf70f19fb9a63ea0d522614564512b578bf6.tar.gz | |
Ensure that file flags such as schg, sappnd (and others) are honored
by md(4). Before this change, it was possible to by-pass these flags
by creating memory disks which used a file as a backing store and
writing to the device.
This was discussed by the security team, and although this is problematic,
it was decided that it was not critical as we never guarantee that root will
be restricted.
This change implements the following behavior changes:
-If the user specifies the readonly flag, unset write operations before
opening the file. If the FWRITE mask is unset, the device will be
created with the MD_READONLY mask set. (readonly)
-Add a check in g_md_access which checks to see if the MD_READONLY mask
is set, if so return EROFS
-Do not gracefully downgrade access modes without telling the user. Instead
make the user specify their intentions for the device (assuming the file is
read only). This seems like the more correct way to handle things.
This is a RELENG_6 candidate.
PR: kern/84635
Reviewed by: phk
Diffstat (limited to 'sys/dev/md')
| -rw-r--r-- | sys/dev/md/md.c | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/sys/dev/md/md.c b/sys/dev/md/md.c index 908d123..07fbbb3 100644 --- a/sys/dev/md/md.c +++ b/sys/dev/md/md.c @@ -361,6 +361,8 @@ g_md_access(struct g_provider *pp, int r, int w, int e) r += pp->acr; w += pp->acw; e += pp->ace; + if ((sc->flags & MD_READONLY) != 0 && w > 0) + return (EROFS); if ((pp->acr + pp->acw + pp->ace) == 0 && (r + w + e) > 0) { sc->opencount = 1; } else if ((pp->acr + pp->acw + pp->ace) > 0 && (r + w + e) == 0) { @@ -880,16 +882,14 @@ mdcreate_vnode(struct md_s *sc, struct md_ioctl *mdio, struct thread *td) if (error != 0) return (error); flags = FREAD|FWRITE; + /* + * If the user specified that this is a read only device, unset the + * FWRITE mask before trying to open the backing store. + */ + if ((mdio->md_options & MD_READONLY) != 0) + flags &= ~FWRITE; NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, sc->file, td); error = vn_open(&nd, &flags, 0, -1); - if (error != 0) { - NDFREE(&nd, NDF_ONLY_PNBUF); - if (error != EACCES && error != EPERM && error != EROFS) - return (error); - flags &= ~FWRITE; - NDINIT(&nd, LOOKUP, FOLLOW, UIO_SYSSPACE, sc->file, td); - error = vn_open(&nd, &flags, 0, -1); - } NDFREE(&nd, NDF_ONLY_PNBUF); if (error != 0) return (error); |
