summaryrefslogtreecommitdiffstats
path: root/fs/overlayfs
diff options
context:
space:
mode:
authorJiufei Xue <jiufei.xue@linux.alibaba.com>2019-05-06 15:41:02 +0800
committerMiklos Szeredi <mszeredi@redhat.com>2019-05-06 14:00:37 +0200
commit98487de318a6f33312471ae1e2afa16fbf8361fe (patch)
tree8552812bd49f44f8d850fce0fef838f85a2f9ed9 /fs/overlayfs
parentd989903058a83e8536cc7aadf9256a47d5c173fe (diff)
downloadlinux-98487de318a6f33312471ae1e2afa16fbf8361fe.tar.bz2
ovl: check the capability before cred overridden
We found that it return success when we set IMMUTABLE_FL flag to a file in docker even though the docker didn't have the capability CAP_LINUX_IMMUTABLE. The commit d1d04ef8572b ("ovl: stack file ops") and dab5ca8fd9dd ("ovl: add lsattr/chattr support") implemented chattr operations on a regular overlay file. ovl_real_ioctl() overridden the current process's subjective credentials with ofs->creator_cred which have the capability CAP_LINUX_IMMUTABLE so that it will return success in vfs_ioctl()->cap_capable(). Fix this by checking the capability before cred overridden. And here we only care about APPEND_FL and IMMUTABLE_FL, so get these information from inode. [SzM: move check and call to underlying fs inside inode locked region to prevent two such calls from racing with each other] Signed-off-by: Jiufei Xue <jiufei.xue@linux.alibaba.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Diffstat (limited to 'fs/overlayfs')
-rw-r--r--fs/overlayfs/file.c79
1 files changed, 61 insertions, 18 deletions
diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
index 7d2f01957e40..540a8b845145 100644
--- a/fs/overlayfs/file.c
+++ b/fs/overlayfs/file.c
@@ -11,6 +11,7 @@
#include <linux/mount.h>
#include <linux/xattr.h>
#include <linux/uio.h>
+#include <linux/uaccess.h>
#include "overlayfs.h"
static char ovl_whatisit(struct inode *inode, struct inode *realinode)
@@ -408,10 +409,68 @@ static long ovl_real_ioctl(struct file *file, unsigned int cmd,
return ret;
}
-static long ovl_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+static unsigned int ovl_get_inode_flags(struct inode *inode)
+{
+ unsigned int flags = READ_ONCE(inode->i_flags);
+ unsigned int ovl_iflags = 0;
+
+ if (flags & S_SYNC)
+ ovl_iflags |= FS_SYNC_FL;
+ if (flags & S_APPEND)
+ ovl_iflags |= FS_APPEND_FL;
+ if (flags & S_IMMUTABLE)
+ ovl_iflags |= FS_IMMUTABLE_FL;
+ if (flags & S_NOATIME)
+ ovl_iflags |= FS_NOATIME_FL;
+
+ return ovl_iflags;
+}
+
+static long ovl_ioctl_set_flags(struct file *file, unsigned long arg)
{
long ret;
struct inode *inode = file_inode(file);
+ unsigned int flags;
+ unsigned int old_flags;
+
+ if (!inode_owner_or_capable(inode))
+ return -EACCES;
+
+ if (get_user(flags, (int __user *) arg))
+ return -EFAULT;
+
+ ret = mnt_want_write_file(file);
+ if (ret)
+ return ret;
+
+ inode_lock(inode);
+
+ /* Check the capability before cred override */
+ ret = -EPERM;
+ old_flags = ovl_get_inode_flags(inode);
+ if (((flags ^ old_flags) & (FS_APPEND_FL | FS_IMMUTABLE_FL)) &&
+ !capable(CAP_LINUX_IMMUTABLE))
+ goto unlock;
+
+ ret = ovl_maybe_copy_up(file_dentry(file), O_WRONLY);
+ if (ret)
+ goto unlock;
+
+ ret = ovl_real_ioctl(file, FS_IOC_SETFLAGS, arg);
+
+ ovl_copyflags(ovl_inode_real(inode), inode);
+unlock:
+ inode_unlock(inode);
+
+ mnt_drop_write_file(file);
+
+ return ret;
+
+}
+
+static long ovl_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+{
+ long ret;
switch (cmd) {
case FS_IOC_GETFLAGS:
@@ -419,23 +478,7 @@ static long ovl_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
break;
case FS_IOC_SETFLAGS:
- if (!inode_owner_or_capable(inode))
- return -EACCES;
-
- ret = mnt_want_write_file(file);
- if (ret)
- return ret;
-
- ret = ovl_maybe_copy_up(file_dentry(file), O_WRONLY);
- if (!ret) {
- ret = ovl_real_ioctl(file, cmd, arg);
-
- inode_lock(inode);
- ovl_copyflags(ovl_inode_real(inode), inode);
- inode_unlock(inode);
- }
-
- mnt_drop_write_file(file);
+ ret = ovl_ioctl_set_flags(file, arg);
break;
default: