Re: [PATCH] fs/sync.c : Add CAP_SYS_ADMIN checking before sync

[Richard Weinberger]

On Thu, Apr 16, 2015 at 5:08 PM, Azat Khuzhin <a3at.mail@xxxxxxxxx> wrote:
> On Thu, Apr 16, 2015 at 07:43:34PM +0800, Wuqixuan wrote:
>> The process, supposed in one container, can't flush the metadata
>> and data of the all host's partitions without CAP_SYS_ADMIN
>> capability, like sys_mount is doing. The checking will prevent some
>> vicious programs impacting IO sequnces of those partitions,
>> particularly, the ones which can't be accessed in the container.
>>
>> Signed-off-by: Last Wu <wuqixuan@xxxxxxxxxx>
>> ---
>> fs/sync.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/fs/sync.c b/fs/sync.c
>> index fbc98ee..9f07909 100644
>> --- a/fs/sync.c
>> +++ b/fs/sync.c
>> @@ -103,6 +103,9 @@ SYSCALL_DEFINE0(sync)
>> {
>> int nowait = 0, wait = 1;
>>
>> + if (!capable(CAP_SYS_ADMIN))
>> + return -EPERM;
>
> So after this patch I can't call sync as a regular user? (even without
> containers).
> But nothing in sync(2) says about special permissions for this.

Yeah, this solution will break userspace.
A much more generic solution would be to wait for cgroup aware writeback[1].
As temporary hack you can check whether the calling process is in the
initial pid namesapce to detect
a container calling sync(2)...

[1] https://lwn.net/Articles/628631/

-- 
Thanks,
//richard
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/