ovl: check permission to open real file
Call inode_permission() on real inode before opening regular file on one of the underlying layers. In some cases ovl_permission() already checks access to an underlying file, but it misses the metacopy case, and possibly other ones as well. Removing the redundant permission check from ovl_permission() should be considered later. Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
This commit is contained in:
parent
292f902a40
commit
05acefb487
|
@ -40,10 +40,22 @@ static struct file *ovl_open_realfile(const struct file *file,
|
|||
struct file *realfile;
|
||||
const struct cred *old_cred;
|
||||
int flags = file->f_flags | O_NOATIME | FMODE_NONOTIFY;
|
||||
int acc_mode = ACC_MODE(flags);
|
||||
int err;
|
||||
|
||||
if (flags & O_APPEND)
|
||||
acc_mode |= MAY_APPEND;
|
||||
|
||||
old_cred = ovl_override_creds(inode->i_sb);
|
||||
err = inode_permission(realinode, MAY_OPEN | acc_mode);
|
||||
if (err) {
|
||||
realfile = ERR_PTR(err);
|
||||
} else if (!inode_owner_or_capable(realinode)) {
|
||||
realfile = ERR_PTR(-EPERM);
|
||||
} else {
|
||||
realfile = open_with_fake_path(&file->f_path, flags, realinode,
|
||||
current_cred());
|
||||
}
|
||||
revert_creds(old_cred);
|
||||
|
||||
pr_debug("open(%p[%pD2/%c], 0%o) -> (%p, 0%o)\n",
|
||||
|
|
Loading…
Reference in New Issue
Block a user