diff options
author | Christian Brauner <brauner@kernel.org> | 2022-04-04 12:51:55 +0200 |
---|---|---|
committer | Miklos Szeredi <mszeredi@redhat.com> | 2022-04-28 16:31:12 +0200 |
commit | 4b7791b2e95805eaa9568761741d33cf929c930c (patch) | |
tree | a43c459ac29dcf7fbf5e80470e4c104b0731c8ff /fs/overlayfs/inode.c | |
parent | ovl: use ovl_copy_{real,upper}attr() wrappers (diff) | |
download | linux-4b7791b2e95805eaa9568761741d33cf929c930c.tar.xz linux-4b7791b2e95805eaa9568761741d33cf929c930c.zip |
ovl: handle idmappings in ovl_permission()
Use the previously introduced ovl_i_path_real() helper to retrieve the
relevant upper or lower path and take the mount's idmapping into account
for the lower layer permission check. This is needed to support idmapped
base layers with overlay.
Cc: <linux-unionfs@vger.kernel.org>
Tested-by: Giuseppe Scrivano <gscrivan@redhat.com>
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Diffstat (limited to 'fs/overlayfs/inode.c')
-rw-r--r-- | fs/overlayfs/inode.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c index bfe7ee0aa51f..123ce07cdc77 100644 --- a/fs/overlayfs/inode.c +++ b/fs/overlayfs/inode.c @@ -280,12 +280,14 @@ int ovl_permission(struct user_namespace *mnt_userns, struct inode *inode, int mask) { struct inode *upperinode = ovl_inode_upper(inode); - struct inode *realinode = upperinode ?: ovl_inode_lower(inode); + struct inode *realinode; + struct path realpath; const struct cred *old_cred; int err; /* Careful in RCU walk mode */ - if (!realinode) { + ovl_i_path_real(inode, &realpath); + if (!realpath.dentry) { WARN_ON(!(mask & MAY_NOT_BLOCK)); return -ECHILD; } @@ -298,6 +300,7 @@ int ovl_permission(struct user_namespace *mnt_userns, if (err) return err; + realinode = d_inode(realpath.dentry); old_cred = ovl_override_creds(inode->i_sb); if (!upperinode && !special_file(realinode->i_mode) && mask & MAY_WRITE) { @@ -305,7 +308,7 @@ int ovl_permission(struct user_namespace *mnt_userns, /* Make sure mounter can read file for copy up later */ mask |= MAY_READ; } - err = inode_permission(&init_user_ns, realinode, mask); + err = inode_permission(mnt_user_ns(realpath.mnt), realinode, mask); revert_creds(old_cred); return err; |