From: Mark Salyzyn <salyzyn@android.com>
To: linux-kernel@vger.kernel.org
Cc: kernel-team@android.com, Mark Salyzyn <salyzyn@android.com>,
John Stultz <john.stultz@linaro.org>,
Stephen Smalley <sds@tycho.nsa.gov>,
linux-security-module@vger.kernel.org
Subject: [PATCH v17 4/4] overlayfs: inode_owner_or_capable called during execv
Date: Tue, 20 Oct 2020 12:17:32 -0700 [thread overview]
Message-ID: <20201020191732.4049987-5-salyzyn@android.com> (raw)
In-Reply-To: <20201020191732.4049987-1-salyzyn@android.com>
Using old_creds as an indication that we are not overriding the
credentials, bypass call to inode_owner_or_capable. This solves
a problem with all execv calls being blocked when using the caller's
credentials.
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Fixes: 05acefb4872da ("ovl: check permission to open real file")
To: linux-fsdevel@vger.kernel.org
To: linux-unionfs@vger.kernel.org
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: linux-kernel@vger.kernel.org
Cc: linux-security-module@vger.kernel.org
Cc: kernel-team@android.com
v17 - rebase
v16 - introduced fix over rebased series
---
fs/overlayfs/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
index b1357bb067d9..9ab9663b02d8 100644
--- a/fs/overlayfs/file.c
+++ b/fs/overlayfs/file.c
@@ -53,7 +53,7 @@ static struct file *ovl_open_realfile(const struct file *file,
err = inode_permission(realinode, MAY_OPEN | acc_mode);
if (err) {
realfile = ERR_PTR(err);
- } else if (!inode_owner_or_capable(realinode)) {
+ } else if (old_cred && !inode_owner_or_capable(realinode)) {
realfile = ERR_PTR(-EPERM);
} else {
realfile = open_with_fake_path(&file->f_path, flags, realinode,
--
2.29.0.rc1.297.gfa9743e501-goog
next prev parent reply other threads:[~2020-10-20 19:18 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-20 19:17 [PATCH v17 0/4] overlayfs override_creds=off & nested get xattr fix Mark Salyzyn
2020-10-20 19:17 ` [PATCH v17 1/4] Add flags option to get xattr method paired to __vfs_getxattr Mark Salyzyn
2020-10-21 1:17 ` Paul Moore
2020-10-21 12:07 ` Mark Salyzyn
2020-10-23 0:46 ` Paul Moore
2020-10-20 19:17 ` [PATCH v17 2/4] overlayfs: handle XATTR_NOSECURITY flag for get xattr method Mark Salyzyn
2020-10-20 22:38 ` kernel test robot
2020-10-20 22:38 ` kernel test robot
2020-10-21 12:12 ` Mark Salyzyn
2020-10-20 19:17 ` [PATCH v17 3/4] overlayfs: override_creds=off option bypass creator_cred Mark Salyzyn
2020-10-20 19:17 ` Mark Salyzyn [this message]
2020-10-20 23:10 ` [PATCH v17 0/4] overlayfs override_creds=off & nested get xattr fix Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201020191732.4049987-5-salyzyn@android.com \
--to=salyzyn@android.com \
--cc=john.stultz@linaro.org \
--cc=kernel-team@android.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.