Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp918833imw; Thu, 14 Jul 2022 13:26:07 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uqynZ41olOG/uuc+cw/5z/naP/uRjrfGe3v3xWYJlJo6qz5k8Gn1ZkuK7oIv0lO79gi1DX X-Received: by 2002:a17:90b:d8b:b0:1f0:34e9:de55 with SMTP id bg11-20020a17090b0d8b00b001f034e9de55mr11375865pjb.133.1657830366947; Thu, 14 Jul 2022 13:26:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657830366; cv=none; d=google.com; s=arc-20160816; b=muHY7ox+PB6rF44uj4LrUpTOD9RYdaTX2UOtkpdS0u+gQtzNtEUBwh7OLeBLGlTA83 TnwCM4v+bfNrjzR5etxI/TKfmQ1alwi6r1KTT1A5M3FP0rRGwosQjmJXxUT7AJ4dlmPX yuRFjoAJY7SgaU8vjqePkhIJo/WetqWgvmv2vVASUbhSsrW9ywlwOIeb7pxgDWCcjwx3 tXrgPaZOUOYUJEA0vEaJyVVigQvW0zuURrPr7snWSb1eQdygy0JRau6VpG7WRhfZdUJU yQqS8H7BNa0i34ELF778uxxiUFd2KK70aOeuzXl6r2up2gHCdkHjm6Ff+0UcR+vX7pge L5AQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=QIFnewSJO5RPRbFfQGBESkxwcHJHTZrd3ulxj1Uol1U=; b=QHrz9g+N3hfAvVsJ8h4xIS2WRf1XkbbKHdnLnXr6elw01fl4aFr4l/J7/DoCzcjVgF n/D0GvTPuEKKzl7yzQPjdkFrBfPe8QTcXhWQqXhgzj/hHE9FNdGNEUPqw3VgZz3u9fp6 YGx8fI1O9y3vQjARjUwEAvH7V+1pgCMVxklcGBObl9vSr55j8ZWLCbqAie58O17rZLZJ llF74FnON2jQFXnTB9UB5gncxdJ+vBpvyhYeyoQKFgdTlRIGBnUL9PvIvA2BvIw+LKWs HOjL76+yNmlOrtgYmApIrczm9odxLNtFhstbh6lNWNpPyNyEMN9nS68gzsiEhvBnBffq DeZA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k2-20020a056a00134200b0052b0b8698d6si3605076pfu.155.2022.07.14.13.25.28; Thu, 14 Jul 2022 13:26:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238243AbiGNUNb (ORCPT + 99 others); Thu, 14 Jul 2022 16:13:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36184 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229458AbiGNUN3 (ORCPT ); Thu, 14 Jul 2022 16:13:29 -0400 Received: from mail-qk1-f178.google.com (mail-qk1-f178.google.com [209.85.222.178]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7695640BFB for ; Thu, 14 Jul 2022 13:13:27 -0700 (PDT) Received: by mail-qk1-f178.google.com with SMTP id o1so2083004qkg.9 for ; Thu, 14 Jul 2022 13:13:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=QIFnewSJO5RPRbFfQGBESkxwcHJHTZrd3ulxj1Uol1U=; b=BTrFaJv7gF3FPkERKkD3gOFGUD0mBsIzV3jvWCFg0mh8gh9tDvABBVKW7C6CSWs1RX hNZroabT7L+x3JaDuZAtvVYqLjUABU6kPHy4s/7CCpeTGVBxPRtjmXt9mtXDj95cA82H 2YflnjqZEY37UjTJxOidi4lAjCZ+myuhcB/2FQnBfo3cGbDNc9v1pU05f6nyjmIAS6eh nOrV8poFFpmp9D0loQQrzgf9pH5FR/lO9De5/tgGMJa9d3eI1dmIxV2t5eX9xupksC0A /UP8pOS2kRZOEgL0JY9+k6cnd8iQM4vgujmm7RGAi6LnceZXYtPUchNnreGuXDVlVqGM BVlA== X-Gm-Message-State: AJIora/ovqTHqdnpPSB0q/ZkavzbygXWVLjeOuD8wU2XckBjqFcicijt taiqTh6n1ce+FBWcatFzQwTH X-Received: by 2002:a05:620a:2724:b0:6b5:cd4d:c6e8 with SMTP id b36-20020a05620a272400b006b5cd4dc6e8mr350262qkp.116.1657829606439; Thu, 14 Jul 2022 13:13:26 -0700 (PDT) Received: from localhost (pool-68-160-176-52.bstnma.fios.verizon.net. [68.160.176.52]) by smtp.gmail.com with ESMTPSA id u12-20020a05620a0c4c00b006a6ebde4799sm2186001qki.90.2022.07.14.13.13.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Jul 2022 13:13:25 -0700 (PDT) Date: Thu, 14 Jul 2022 16:13:24 -0400 From: Mike Snitzer To: Daniil Lunev Cc: Alasdair Kergon , Brian Geffon , dm-devel@redhat.com, linux-kernel@vger.kernel.org Subject: Re: [PATCH 1/1] dm: add message command to disallow device open Message-ID: References: <20220704000225.345536-1-dlunev@chromium.org> <20220704100221.1.I15b3f7a84ba5a97fde9276648e391b54957103ff@changeid> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220704100221.1.I15b3f7a84ba5a97fde9276648e391b54957103ff@changeid> X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Jul 03 2022 at 8:02P -0400, Daniil Lunev wrote: > A message can be passed to device mapper to prohibit open on a certain > mapped device. This makes possible to disallow userspace access to > raw swapped data if the system uses device mapper to encrypt it at rest. > > Signed-off-by: Daniil Lunev This commit header and patch make little sense to me. If you're concerned about a normal (non-root) user having read access to the swap device then disallow non-root user access permissions on the swap device. Why is an encrypted swap device any different than any other encrypted device? As is, this patch seems to be the wrong way to achieve your desired result. If you or someone else on the chromium team can better defend/explain the need for this change please do so. Thanks, Mike > --- > > drivers/md/dm-core.h | 1 + > drivers/md/dm-ioctl.c | 10 ++++++++++ > drivers/md/dm.c | 12 ++++++++++++ > drivers/md/dm.h | 10 ++++++++++ > include/uapi/linux/dm-ioctl.h | 5 +++++ > 5 files changed, 38 insertions(+) > > diff --git a/drivers/md/dm-core.h b/drivers/md/dm-core.h > index 4277853c75351..37529b605b7c4 100644 > --- a/drivers/md/dm-core.h > +++ b/drivers/md/dm-core.h > @@ -140,6 +140,7 @@ struct mapped_device { > #define DMF_SUSPENDED_INTERNALLY 7 > #define DMF_POST_SUSPENDING 8 > #define DMF_EMULATE_ZONE_APPEND 9 > +#define DMF_DISALLOW_OPEN 10 > > void disable_discard(struct mapped_device *md); > void disable_write_zeroes(struct mapped_device *md); > diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c > index 87310fceb0d86..e35d560aa2ff3 100644 > --- a/drivers/md/dm-ioctl.c > +++ b/drivers/md/dm-ioctl.c > @@ -815,6 +815,9 @@ static void __dev_status(struct mapped_device *md, struct dm_ioctl *param) > if (dm_test_deferred_remove_flag(md)) > param->flags |= DM_DEFERRED_REMOVE; > > + if (dm_test_disallow_open_flag(md)) > + param->flags |= DM_DISALLOWED_OPEN; > + > param->dev = huge_encode_dev(disk_devt(disk)); > > /* > @@ -1656,6 +1659,13 @@ static int message_for_md(struct mapped_device *md, unsigned argc, char **argv, > } > return dm_cancel_deferred_remove(md); > } > + if (!strcasecmp(argv[0], "@disallow_open")) { > + if (argc != 1) { > + DMERR("Invalid arguments for @disallow_open"); > + return -EINVAL; > + } > + return dm_disallow_open(md); > + } > > r = dm_stats_message(md, argc, argv, result, maxlen); > if (r < 2) > diff --git a/drivers/md/dm.c b/drivers/md/dm.c > index 82957bd460e89..3e53d1bd40f0c 100644 > --- a/drivers/md/dm.c > +++ b/drivers/md/dm.c > @@ -327,6 +327,7 @@ static int dm_blk_open(struct block_device *bdev, fmode_t mode) > goto out; > > if (test_bit(DMF_FREEING, &md->flags) || > + test_bit(DMF_DISALLOW_OPEN, &md->flags) || > dm_deleting_md(md)) { > md = NULL; > goto out; > @@ -403,6 +404,12 @@ int dm_cancel_deferred_remove(struct mapped_device *md) > return r; > } > > +int dm_disallow_open(struct mapped_device *md) > +{ > + set_bit(DMF_DISALLOW_OPEN, &md->flags); > + return 0; > +} > + > static void do_deferred_remove(struct work_struct *w) > { > dm_deferred_remove(); > @@ -2883,6 +2890,11 @@ int dm_test_deferred_remove_flag(struct mapped_device *md) > return test_bit(DMF_DEFERRED_REMOVE, &md->flags); > } > > +int dm_test_disallow_open_flag(struct mapped_device *md) > +{ > + return test_bit(DMF_DISALLOW_OPEN, &md->flags); > +} > + > int dm_suspended(struct dm_target *ti) > { > return dm_suspended_md(ti->table->md); > diff --git a/drivers/md/dm.h b/drivers/md/dm.h > index 9013dc1a7b002..da27f9dfe1413 100644 > --- a/drivers/md/dm.h > +++ b/drivers/md/dm.h > @@ -163,6 +163,16 @@ int dm_test_deferred_remove_flag(struct mapped_device *md); > */ > void dm_deferred_remove(void); > > +/* > + * Test if the device is openable. > + */ > +int dm_test_disallow_open_flag(struct mapped_device *md); > + > +/* > + * Prevent new open request on the device. > + */ > +int dm_disallow_open(struct mapped_device *md); > + > /* > * The device-mapper can be driven through one of two interfaces; > * ioctl or filesystem, depending which patch you have applied. > diff --git a/include/uapi/linux/dm-ioctl.h b/include/uapi/linux/dm-ioctl.h > index 2e9550fef90fa..3b4d12d09c005 100644 > --- a/include/uapi/linux/dm-ioctl.h > +++ b/include/uapi/linux/dm-ioctl.h > @@ -382,4 +382,9 @@ enum { > */ > #define DM_IMA_MEASUREMENT_FLAG (1 << 19) /* In */ > > +/* > + * If set, the device can not be opened. > + */ > +#define DM_DISALLOWED_OPEN (1 << 20) /* Out */ > + > #endif /* _LINUX_DM_IOCTL_H */ > -- > 2.31.0 >