Ack: Re: [oneiric CVE 1/1] overlayfs: apply device cgroup and security permissions to overlay files
Herton Ronaldo Krzesinski
herton.krzesinski at canonical.com
Wed Jan 18 18:58:42 UTC 2012
On Wed, Jan 18, 2012 at 05:45:17PM +0000, Andy Whitcroft wrote:
> When checking permissions on an overlayfs inode we do not take into
> account either device cgroup restrictions nor security permissions.
> This allows a user to mount an overlayfs layer over a restricted device
> directory and by pass those permissions to open otherwise restricted
> files.
>
> Use devcgroup_inode_permission() and security_inode_permission() against
> the underlying inodes when calculating ovl_permission().
>
> CVE-2012-0055
> BugLink: http://bugs.launchpad.net/bugs/915941
> BugLink: http://bugs.launchpad.net/bugs/918212
> Signed-off-by: Andy Whitcroft <apw at canonical.com>
> ---
> fs/overlayfs/inode.c | 7 +++++++
> 1 files changed, 7 insertions(+), 0 deletions(-)
>
> diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
> index ce39fab..1551032 100644
> --- a/fs/overlayfs/inode.c
> +++ b/fs/overlayfs/inode.c
> @@ -10,6 +10,8 @@
> #include <linux/fs.h>
> #include <linux/slab.h>
> #include <linux/xattr.h>
> +#include <linux/device_cgroup.h>
> +#include <linux/security.h>
> #include "overlayfs.h"
>
> int ovl_setattr(struct dentry *dentry, struct iattr *attr)
> @@ -118,6 +120,11 @@ int ovl_permission(struct inode *inode, int mask, unsigned int flags)
> else
> err = generic_permission(realinode, mask, flags,
> realinode->i_op->check_acl);
> +
> + if (!err)
> + err = devcgroup_inode_permission(realinode, mask);
> + if (!err)
> + err = security_inode_permission(realinode, mask);
> out_dput:
> dput(alias);
> return err;
Ack, matches the behaviour looking at inode_permission, so I guess is
correct (I don't know much about fs stuff).
--
[]'s
Herton
More information about the kernel-team
mailing list