Commit c8838e8e authored by Vivek Goyal's avatar Vivek Goyal Committed by Stefan Bader

ovl: modify ovl_permission() to do checks on two inodes

BugLink: https://bugs.launchpad.net/bugs/1836668

commit c0ca3d70 upstream.

Right now ovl_permission() calls __inode_permission(realinode), to do
permission checks on real inode and no checks are done on overlay inode.

Modify it to do checks both on overlay inode as well as underlying inode.
Checks on overlay inode will be done with the creds of calling task while
checks on underlying inode will be done with the creds of mounter.
Signed-off-by: default avatarVivek Goyal <vgoyal@redhat.com>
Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
[ Srivatsa: 4.4.y backport:
  - Skipped the hunk modifying non-existent function ovl_get_acl()
  - Adjusted the error path
  - Included linux/cred.h to get prototype for revert_creds() ]
Signed-off-by: default avatarSrivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
parent c13ed28d
......@@ -9,6 +9,7 @@
#include <linux/fs.h>
#include <linux/slab.h>
#include <linux/cred.h>
#include <linux/xattr.h>
#include "overlayfs.h"
......@@ -91,6 +92,7 @@ int ovl_permission(struct inode *inode, int mask)
struct ovl_entry *oe;
struct dentry *alias = NULL;
struct inode *realinode;
const struct cred *old_cred;
struct dentry *realdentry;
bool is_upper;
int err;
......@@ -143,7 +145,18 @@ int ovl_permission(struct inode *inode, int mask)
goto out_dput;
}
/*
* Check overlay inode with the creds of task and underlying inode
* with creds of mounter
*/
err = generic_permission(inode, mask);
if (err)
goto out_dput;
old_cred = ovl_override_creds(inode->i_sb);
err = __inode_permission(realinode, mask);
revert_creds(old_cred);
out_dput:
dput(alias);
return err;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment