Patchwork [10/11] UBUNTU: ubuntu: overlayfs -- overlayfs: apply device cgroup and security permissions to overlay files

login
register
mail settings
Submitter Paolo Pisati
Date March 13, 2013, 9:50 a.m.
Message ID <1363168251-9374-11-git-send-email-paolo.pisati@canonical.com>
Download mbox | patch
Permalink /patch/227218/
State New
Headers show

Comments

Paolo Pisati - March 13, 2013, 9:50 a.m.
From: Andy Whitcroft <apw@canonical.com>

When checking permissions on an overlayfs inode we do not take into
account either device cgroup restrictions nor security permissions.
This allows a user to mount an overlayfs layer over a restricted device
directory and by pass those permissions to open otherwise restricted
files.

Use devcgroup_inode_permission() and security_inode_permission() against
the underlying inodes when calculating ovl_permission().

CVE-2012-0055
BugLink: http://bugs.launchpad.net/bugs/915941
BugLink: http://bugs.launchpad.net/bugs/918212
Signed-off-by: Andy Whitcroft <apw@canonical.com>
(cherry picked from commit 59aa87f808b13463bc717ad69362b5372f6c5574)

BugLink: http://bugs.launchpad.net/bugs/1076317

Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
---
 fs/overlayfs/inode.c |    7 +++++++
 1 file changed, 7 insertions(+)

Patch

diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
index ba1a777..1145a76 100644
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -10,6 +10,8 @@ 
 #include <linux/fs.h>
 #include <linux/slab.h>
 #include <linux/xattr.h>
+#include <linux/device_cgroup.h>
+#include <linux/security.h>
 #include "overlayfs.h"
 
 int ovl_setattr(struct dentry *dentry, struct iattr *attr)
@@ -118,6 +120,11 @@  int ovl_permission(struct inode *inode, int mask)
 		err = realinode->i_op->permission(realinode, mask);
 	else
 		err = generic_permission(realinode, mask);
+
+	if (!err)
+		err = devcgroup_inode_permission(realinode, mask);
+	if (!err)
+		err = security_inode_permission(realinode, mask);
 out_dput:
 	dput(alias);
 	return err;