diff options
author | Jan Kara <jack@suse.cz> | 2015-05-21 16:05:55 +0200 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2015-06-24 00:01:09 +0200 |
commit | 45f147a1bc97c743c6101a8d2741c69a51f583e4 (patch) | |
tree | b7919ca80674bc1793b4423957f4d61c8100408d /fs/open.c | |
parent | fs: Provide function telling whether file_remove_privs() will do anything (diff) | |
download | linux-45f147a1bc97c743c6101a8d2741c69a51f583e4.tar.xz linux-45f147a1bc97c743c6101a8d2741c69a51f583e4.zip |
fs: Call security_ops->inode_killpriv on truncate
Comment in include/linux/security.h says that ->inode_killpriv() should
be called when setuid bit is being removed and that similar security
labels (in fact this applies only to file capabilities) should be
removed at this time as well. However we don't call ->inode_killpriv()
when we remove suid bit on truncate.
We fix the problem by calling ->inode_need_killpriv() and subsequently
->inode_killpriv() on truncate the same way as we do it on file write.
After this patch there's only one user of should_remove_suid() - ocfs2 -
and indeed it's buggy because it doesn't call ->inode_killpriv() on
write. However fixing it is difficult because of special locking
constraints.
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs/open.c')
-rw-r--r-- | fs/open.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/fs/open.c b/fs/open.c index 1dbc79358d59..e33dab287fa0 100644 --- a/fs/open.c +++ b/fs/open.c @@ -51,8 +51,10 @@ int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs, newattrs.ia_valid |= ATTR_FILE; } - /* Remove suid/sgid on truncate too */ - ret = should_remove_suid(dentry); + /* Remove suid, sgid, and file capabilities on truncate too */ + ret = dentry_needs_remove_privs(dentry); + if (ret < 0) + return ret; if (ret) newattrs.ia_valid |= ret | ATTR_FORCE; |