Skip to content

Commit

Permalink
ovl: check the capability before cred overridden
Browse files Browse the repository at this point in the history
We found that it return success when we set IMMUTABLE_FL flag to a file in
docker even though the docker didn't have the capability
CAP_LINUX_IMMUTABLE.

The commit d1d04ef ("ovl: stack file ops") and dab5ca8 ("ovl: add
lsattr/chattr support") implemented chattr operations on a regular overlay
file. ovl_real_ioctl() overridden the current process's subjective
credentials with ofs->creator_cred which have the capability
CAP_LINUX_IMMUTABLE so that it will return success in
vfs_ioctl()->cap_capable().

Fix this by checking the capability before cred overridden. And here we
only care about APPEND_FL and IMMUTABLE_FL, so get these information from
inode.

[SzM: move check and call to underlying fs inside inode locked region to
prevent two such calls from racing with each other]

Signed-off-by: Jiufei Xue <jiufei.xue@linux.alibaba.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
  • Loading branch information
Jiufei Xue authored and Miklos Szeredi committed May 6, 2019
1 parent d989903 commit 98487de
Showing 1 changed file with 61 additions and 18 deletions.
79 changes: 61 additions & 18 deletions fs/overlayfs/file.c
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
#include <linux/mount.h>
#include <linux/xattr.h>
#include <linux/uio.h>
#include <linux/uaccess.h>
#include "overlayfs.h"

static char ovl_whatisit(struct inode *inode, struct inode *realinode)
Expand Down Expand Up @@ -408,34 +409,76 @@ static long ovl_real_ioctl(struct file *file, unsigned int cmd,
return ret;
}

static long ovl_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
static unsigned int ovl_get_inode_flags(struct inode *inode)
{
unsigned int flags = READ_ONCE(inode->i_flags);
unsigned int ovl_iflags = 0;

if (flags & S_SYNC)
ovl_iflags |= FS_SYNC_FL;
if (flags & S_APPEND)
ovl_iflags |= FS_APPEND_FL;
if (flags & S_IMMUTABLE)
ovl_iflags |= FS_IMMUTABLE_FL;
if (flags & S_NOATIME)
ovl_iflags |= FS_NOATIME_FL;

return ovl_iflags;
}

static long ovl_ioctl_set_flags(struct file *file, unsigned long arg)
{
long ret;
struct inode *inode = file_inode(file);
unsigned int flags;
unsigned int old_flags;

if (!inode_owner_or_capable(inode))
return -EACCES;

if (get_user(flags, (int __user *) arg))
return -EFAULT;

ret = mnt_want_write_file(file);
if (ret)
return ret;

inode_lock(inode);

/* Check the capability before cred override */
ret = -EPERM;
old_flags = ovl_get_inode_flags(inode);
if (((flags ^ old_flags) & (FS_APPEND_FL | FS_IMMUTABLE_FL)) &&
!capable(CAP_LINUX_IMMUTABLE))
goto unlock;

ret = ovl_maybe_copy_up(file_dentry(file), O_WRONLY);
if (ret)
goto unlock;

ret = ovl_real_ioctl(file, FS_IOC_SETFLAGS, arg);

ovl_copyflags(ovl_inode_real(inode), inode);
unlock:
inode_unlock(inode);

mnt_drop_write_file(file);

return ret;

}

static long ovl_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
{
long ret;

switch (cmd) {
case FS_IOC_GETFLAGS:
ret = ovl_real_ioctl(file, cmd, arg);
break;

case FS_IOC_SETFLAGS:
if (!inode_owner_or_capable(inode))
return -EACCES;

ret = mnt_want_write_file(file);
if (ret)
return ret;

ret = ovl_maybe_copy_up(file_dentry(file), O_WRONLY);
if (!ret) {
ret = ovl_real_ioctl(file, cmd, arg);

inode_lock(inode);
ovl_copyflags(ovl_inode_real(inode), inode);
inode_unlock(inode);
}

mnt_drop_write_file(file);
ret = ovl_ioctl_set_flags(file, arg);
break;

default:
Expand Down

0 comments on commit 98487de

Please sign in to comment.