[block] fail SCSI passthrough ioctls on partition devices

[block] fail SCSI passthrough ioctls on partition devices

CVE-2011-4127.

Linux allows executing the SG_IO ioctl on a partition or even on an
LVM volume, and will pass the command to the underlying block device.
This is well-known, but it is also a large security problem when (via
Unix permissions, ACLs, SELinux or a combination thereof) a program or
user needs to be granted access to a particular partition or logical
volume but not to the full device.

This patch limits the ioctls that are forwarded to non-SCSI devices to
a few ones that are harmless.  This restriction includes programs
running with the CAP_SYS_RAWIO.  If for example I let a program access
/dev/sda2 and /dev/sdb, it still should not be able to read/write outside
the boundaries of /dev/sda2 independent of the capabilities.

This patch does not affect the non-libata IDE driver.  That driver however
alreadys test for bd != bd->bd_contains before issuing some ioctl; so,
programs that do not require CAP_SYS_RAWIO are safe.  A workaround is
just to use libata.

Encryption on the host is a mitigating factor, but it does not provide
a full solution.  In particular it doesn't protect against DoS (write
random data), replay attacks (reinstate old ciphertext sectors), or
writes to unencrypted areas including the MBR, the partition table, or
/boot.

Thanks to Daniel Berrange, Milan Broz, Mike Christie, Alasdair Kergon,
Petr Matousek, Jeff Moyer, Mike Snitzer and others for help discussing
this issue.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Joe Jin <joe.jin@oracle.com>