[PATCH 1/1] overlayfs: apply device cgroup and security permissions to overlay files
From: Andy Whitcroft
Date: Fri Feb 17 2012 - 10:11:27 EST
When checking permissions on an overlayfs inode we do not take into
account either device cgroup restrictions nor security permissions.
This allows a user to mount an overlayfs layer over a restricted device
directory and by pass those permissions to open otherwise restricted
files.
Use devcgroup_inode_permission() and security_inode_permission() against
the underlying inodes when calculating ovl_permission().
Signed-off-by: Andy Whitcroft <apw@xxxxxxxxxxxxx>
---
fs/overlayfs/inode.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
Not sure whether you saw this the first time round. This was shown
up in testing with containers, specifically with device cgroups.
It seems we should be re-checking here else users can simply
bypass the containers device permissions by mounting an overlayfs
fs over them.
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
index ba1a777..1145a76 100644
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -10,6 +10,8 @@
#include <linux/fs.h>
#include <linux/slab.h>
#include <linux/xattr.h>
+#include <linux/device_cgroup.h>
+#include <linux/security.h>
#include "overlayfs.h"
int ovl_setattr(struct dentry *dentry, struct iattr *attr)
@@ -118,6 +120,11 @@ int ovl_permission(struct inode *inode, int mask)
err = realinode->i_op->permission(realinode, mask);
else
err = generic_permission(realinode, mask);
+
+ if (!err)
+ err = devcgroup_inode_permission(realinode, mask);
+ if (!err)
+ err = security_inode_permission(realinode, mask);
out_dput:
dput(alias);
return err;
--
1.7.9
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/