Commit 51f8f3c4 authored by Konstantin Khlebnikov's avatar Konstantin Khlebnikov Committed by Miklos Szeredi

ovl: drop CAP_SYS_RESOURCE from saved mounter's credentials

If overlay was mounted by root then quota set for upper layer does not work
because overlay now always use mounter's credentials for operations.
Also overlay might deplete reserved space and inodes in ext4.

This patch drops capability SYS_RESOURCE from saved credentials.
This affects creation new files, whiteouts, and copy-up operations.
Signed-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
Fixes: 1175b6b8 ("ovl: do operations on underlying file system in mounter's context")
Cc: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
parent e593b2bf
...@@ -721,6 +721,7 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent) ...@@ -721,6 +721,7 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
unsigned int stacklen = 0; unsigned int stacklen = 0;
unsigned int i; unsigned int i;
bool remote = false; bool remote = false;
struct cred *cred;
int err; int err;
err = -ENOMEM; err = -ENOMEM;
...@@ -901,10 +902,13 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent) ...@@ -901,10 +902,13 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
else else
sb->s_d_op = &ovl_dentry_operations; sb->s_d_op = &ovl_dentry_operations;
ufs->creator_cred = prepare_creds(); ufs->creator_cred = cred = prepare_creds();
if (!ufs->creator_cred) if (!cred)
goto out_put_lower_mnt; goto out_put_lower_mnt;
/* Never override disk quota limits or use reserved space */
cap_lower(cred->cap_effective, CAP_SYS_RESOURCE);
err = -ENOMEM; err = -ENOMEM;
oe = ovl_alloc_entry(numlower); oe = ovl_alloc_entry(numlower);
if (!oe) if (!oe)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment