Patchwork [oneiric,CVE,1/1] overlayfs: apply device cgroup and security permissions to overlay files

login
register
mail settings
Submitter Andy Whitcroft
Date Jan. 18, 2012, 5:45 p.m.
Message ID <1326908717-10722-2-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/136668/
State New
Headers show

Comments

Andy Whitcroft - Jan. 18, 2012, 5:45 p.m.
When checking permissions on an overlayfs inode we do not take into
account either device cgroup restrictions nor security permissions.
This allows a user to mount an overlayfs layer over a restricted device
directory and by pass those permissions to open otherwise restricted
files.

Use devcgroup_inode_permission() and security_inode_permission() against
the underlying inodes when calculating ovl_permission().

CVE-2012-0055
BugLink: http://bugs.launchpad.net/bugs/915941
BugLink: http://bugs.launchpad.net/bugs/918212
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 fs/overlayfs/inode.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)
Herton Ronaldo Krzesinski - Jan. 18, 2012, 6:58 p.m.
On Wed, Jan 18, 2012 at 05:45:17PM +0000, Andy Whitcroft wrote:
> When checking permissions on an overlayfs inode we do not take into
> account either device cgroup restrictions nor security permissions.
> This allows a user to mount an overlayfs layer over a restricted device
> directory and by pass those permissions to open otherwise restricted
> files.
> 
> Use devcgroup_inode_permission() and security_inode_permission() against
> the underlying inodes when calculating ovl_permission().
> 
> CVE-2012-0055
> BugLink: http://bugs.launchpad.net/bugs/915941
> BugLink: http://bugs.launchpad.net/bugs/918212
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>  fs/overlayfs/inode.c |    7 +++++++
>  1 files changed, 7 insertions(+), 0 deletions(-)
> 
> diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
> index ce39fab..1551032 100644
> --- a/fs/overlayfs/inode.c
> +++ b/fs/overlayfs/inode.c
> @@ -10,6 +10,8 @@
>  #include <linux/fs.h>
>  #include <linux/slab.h>
>  #include <linux/xattr.h>
> +#include <linux/device_cgroup.h>
> +#include <linux/security.h>
>  #include "overlayfs.h"
>  
>  int ovl_setattr(struct dentry *dentry, struct iattr *attr)
> @@ -118,6 +120,11 @@ int ovl_permission(struct inode *inode, int mask, unsigned int flags)
>  	else
>  		err = generic_permission(realinode, mask, flags,
>  					 realinode->i_op->check_acl);
> +
> +	if (!err)
> +		err = devcgroup_inode_permission(realinode, mask);
> +	if (!err)
> +		err = security_inode_permission(realinode, mask);
>  out_dput:
>  	dput(alias);
>  	return err;

Ack, matches the behaviour looking at inode_permission, so I guess is
correct (I don't know much about fs stuff).

Patch

diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
index ce39fab..1551032 100644
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -10,6 +10,8 @@ 
 #include <linux/fs.h>
 #include <linux/slab.h>
 #include <linux/xattr.h>
+#include <linux/device_cgroup.h>
+#include <linux/security.h>
 #include "overlayfs.h"
 
 int ovl_setattr(struct dentry *dentry, struct iattr *attr)
@@ -118,6 +120,11 @@  int ovl_permission(struct inode *inode, int mask, unsigned int flags)
 	else
 		err = generic_permission(realinode, mask, flags,
 					 realinode->i_op->check_acl);
+
+	if (!err)
+		err = devcgroup_inode_permission(realinode, mask);
+	if (!err)
+		err = security_inode_permission(realinode, mask);
 out_dput:
 	dput(alias);
 	return err;