Message ID | 1326908717-10722-2-git-send-email-apw@canonical.com |
---|---|
State | New |
Headers | show |
On Wed, Jan 18, 2012 at 05:45:17PM +0000, Andy Whitcroft wrote: > When checking permissions on an overlayfs inode we do not take into > account either device cgroup restrictions nor security permissions. > This allows a user to mount an overlayfs layer over a restricted device > directory and by pass those permissions to open otherwise restricted > files. > > Use devcgroup_inode_permission() and security_inode_permission() against > the underlying inodes when calculating ovl_permission(). > > CVE-2012-0055 > BugLink: http://bugs.launchpad.net/bugs/915941 > BugLink: http://bugs.launchpad.net/bugs/918212 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > fs/overlayfs/inode.c | 7 +++++++ > 1 files changed, 7 insertions(+), 0 deletions(-) > > diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c > index ce39fab..1551032 100644 > --- a/fs/overlayfs/inode.c > +++ b/fs/overlayfs/inode.c > @@ -10,6 +10,8 @@ > #include <linux/fs.h> > #include <linux/slab.h> > #include <linux/xattr.h> > +#include <linux/device_cgroup.h> > +#include <linux/security.h> > #include "overlayfs.h" > > int ovl_setattr(struct dentry *dentry, struct iattr *attr) > @@ -118,6 +120,11 @@ int ovl_permission(struct inode *inode, int mask, unsigned int flags) > else > err = generic_permission(realinode, mask, flags, > realinode->i_op->check_acl); > + > + if (!err) > + err = devcgroup_inode_permission(realinode, mask); > + if (!err) > + err = security_inode_permission(realinode, mask); > out_dput: > dput(alias); > return err; Ack, matches the behaviour looking at inode_permission, so I guess is correct (I don't know much about fs stuff).
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c index ce39fab..1551032 100644 --- a/fs/overlayfs/inode.c +++ b/fs/overlayfs/inode.c @@ -10,6 +10,8 @@ #include <linux/fs.h> #include <linux/slab.h> #include <linux/xattr.h> +#include <linux/device_cgroup.h> +#include <linux/security.h> #include "overlayfs.h" int ovl_setattr(struct dentry *dentry, struct iattr *attr) @@ -118,6 +120,11 @@ int ovl_permission(struct inode *inode, int mask, unsigned int flags) else err = generic_permission(realinode, mask, flags, realinode->i_op->check_acl); + + if (!err) + err = devcgroup_inode_permission(realinode, mask); + if (!err) + err = security_inode_permission(realinode, mask); out_dput: dput(alias); return err;
When checking permissions on an overlayfs inode we do not take into account either device cgroup restrictions nor security permissions. This allows a user to mount an overlayfs layer over a restricted device directory and by pass those permissions to open otherwise restricted files. Use devcgroup_inode_permission() and security_inode_permission() against the underlying inodes when calculating ovl_permission(). CVE-2012-0055 BugLink: http://bugs.launchpad.net/bugs/915941 BugLink: http://bugs.launchpad.net/bugs/918212 Signed-off-by: Andy Whitcroft <apw@canonical.com> --- fs/overlayfs/inode.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-)