Ack: overlayfs: apply device cgroup and security permissions to overlay files
On Wed, Jan 18, 2012 at 05:45:17PM +0000, Andy Whitcroft wrote:
> When checking permissions on an overlayfs inode we do not take into > account either device cgroup restrictions nor security permissions. > This allows a user to mount an overlayfs layer over a restricted device > directory and by pass those permissions to open otherwise restricted > files. > > Use devcgroup_inode_permission() and security_inode_permission() against > the underlying inodes when calculating ovl_permission(). > > CVE-2012-0055 > BugLink: http://bugs.launchpad.net/bugs/915941 > BugLink: http://bugs.launchpad.net/bugs/918212 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > fs/overlayfs/inode.c | 7 +++++++ > 1 files changed, 7 insertions(+), 0 deletions(-) > > diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c > index ce39fab..1551032 100644 > --- a/fs/overlayfs/inode.c > +++ b/fs/overlayfs/inode.c > @@ -10,6 +10,8 @@ > #include <linux/fs.h> > #include <linux/slab.h> > #include <linux/xattr.h> > +#include <linux/device_cgroup.h> > +#include <linux/security.h> > #include "overlayfs.h" > > int ovl_setattr(struct dentry *dentry, struct iattr *attr) > @@ -118,6 +120,11 @@ int ovl_permission(struct inode *inode, int mask, unsigned int flags) > else > err = generic_permission(realinode, mask, flags, > realinode->i_op->check_acl); > + > + if (!err) > + err = devcgroup_inode_permission(realinode, mask); > + if (!err) > + err = security_inode_permission(realinode, mask); > out_dput: > dput(alias); > return err; Ack, matches the behaviour looking at inode_permission, so I guess is correct (I don't know much about fs stuff). -- []'s Herton -- kernel-team mailing list kernel-team@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/kernel-team |
| All times are GMT. The time now is 03:11 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.