summaryrefslogtreecommitdiffstats
path: root/fs/overlayfs/util.c
diff options
context:
space:
mode:
authorMiklos Szeredi <mszeredi@redhat.com>2020-12-14 15:26:14 +0100
committerMiklos Szeredi <mszeredi@redhat.com>2020-12-14 15:26:14 +0100
commitc846af050f944d584f28bc0de310383003c8096d (patch)
tree32070dcfc93dd4164928c5d7056836f5c420bfc7 /fs/overlayfs/util.c
parentvfs: verify source area in vfs_dedupe_file_range_one() (diff)
downloadlinux-c846af050f944d584f28bc0de310383003c8096d.tar.xz
linux-c846af050f944d584f28bc0de310383003c8096d.zip
ovl: check privs before decoding file handle
CAP_DAC_READ_SEARCH is required by open_by_handle_at(2) so check it in ovl_decode_real_fh() as well to prevent privilege escalation for unprivileged overlay mounts. [Amir] If the mounter is not capable in init ns, ovl_check_origin() and ovl_verify_index() will not function as expected and this will break index and nfs export features. So check capability in ovl_can_decode_fh(), to auto disable those features. Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Diffstat (limited to 'fs/overlayfs/util.c')
-rw-r--r--fs/overlayfs/util.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c
index 44b4b62a8ac8..ced63c79e9dd 100644
--- a/fs/overlayfs/util.c
+++ b/fs/overlayfs/util.c
@@ -50,6 +50,9 @@ const struct cred *ovl_override_creds(struct super_block *sb)
*/
int ovl_can_decode_fh(struct super_block *sb)
{
+ if (!capable(CAP_DAC_READ_SEARCH))
+ return 0;
+
if (!sb->s_export_op || !sb->s_export_op->fh_to_dentry)
return 0;