| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1329491451-14960-1-git-send-email-apw@canonical.com> Date: Fri, 17 Feb 2012 15:10:51 +0000 From: Andy Whitcroft <apw@...onical.com> To: Miklos Szeredi <miklos@...redi.hu> Cc: Andy Whitcroft <apw@...onical.com>, linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org, mszeredi@...e.cz Subject: [PATCH 1/1] overlayfs: apply device cgroup and security permissions to overlay files When checking permissions on an overlayfs inode we do not take into account either device cgroup restrictions nor security permissions. This allows a user to mount an overlayfs layer over a restricted device directory and by pass those permissions to open otherwise restricted files. Use devcgroup_inode_permission() and security_inode_permission() against the underlying inodes when calculating ovl_permission(). Signed-off-by: Andy Whitcroft <apw@...onical.com> --- fs/overlayfs/inode.c | 7 +++++++ 1 files changed, 7 insertions(+), 0 deletions(-) Not sure whether you saw this the first time round. This was shown up in testing with containers, specifically with device cgroups. It seems we should be re-checking here else users can simply bypass the containers device permissions by mounting an overlayfs fs over them. diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c index ba1a777..1145a76 100644 --- a/fs/overlayfs/inode.c +++ b/fs/overlayfs/inode.c @@ -10,6 +10,8 @@ #include <linux/fs.h> #include <linux/slab.h> #include <linux/xattr.h> +#include <linux/device_cgroup.h> +#include <linux/security.h> #include "overlayfs.h" int ovl_setattr(struct dentry *dentry, struct iattr *attr) @@ -118,6 +120,11 @@ int ovl_permission(struct inode *inode, int mask) err = realinode->i_op->permission(realinode, mask); else err = generic_permission(realinode, mask); + + if (!err) + err = devcgroup_inode_permission(realinode, mask); + if (!err) + err = security_inode_permission(realinode, mask); out_dput: dput(alias); return err; -- 1.7.9 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists