fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks (2a4c2242) · Commits · 戴 / test

generic_permission() presently checks CAP_DAC_OVERRIDE prior to CAP_DAC_READ_SEARCH. This can cause misleading audit messages when using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE may not be required for the operation. Flip the order of the tests so that CAP_DAC_OVERRIDE is only checked when required for the operation. Signed-off-by:

Stephen Smalley <sds@tycho.nsa.gov> Acked-by:

John Johansen <john.johansen@canonical.com> Reviewed-by:

Serge Hallyn <serge@hallyn.com> Acked-by:

James Morris <james.l.morris@oracle.com> Signed-off-by:

Paul Moore <paul@paul-moore.com>

fs/namei.c

+10 −10

Original line number	Diff line number	Diff line
		@@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask)

		if (S_ISDIR(inode->i_mode)) {
		/* DACs are overridable for directories */
		if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
		return 0;
		if (!(mask & MAY_WRITE))
		if (capable_wrt_inode_uidgid(inode,
		CAP_DAC_READ_SEARCH))
		return 0;
		return -EACCES;
		}
		/*
		* Read/write DACs are always overridable.
		* Executable DACs are overridable when there is
		* at least one exec bit set.
		*/
		if (!(mask & MAY_EXEC) \|\| (inode->i_mode & S_IXUGO))
		if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
		return 0;
		return -EACCES;
		}

		/*
		* Searching includes executable on directories, else just read.
		@@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask)
		if (mask == MAY_READ)
		if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
		return 0;
		/*
		* Read/write DACs are always overridable.
		* Executable DACs are overridable when there is
		* at least one exec bit set.
		*/
		if (!(mask & MAY_EXEC) \|\| (inode->i_mode & S_IXUGO))
		if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
		return 0;

		return -EACCES;
		}

Admin message