Commit 754f8cb7 authored by Vivek Goyal's avatar Vivek Goyal Committed by Miklos Szeredi
Browse files

ovl: do not require mounter to have MAY_WRITE on lower 



Now we have two levels of checks in ovl_permission(). overlay inode
is checked with the creds of task while underlying inode is checked
with the creds of mounter.

Looks like mounter does not have to have WRITE access to files on lower/.
So remove the MAY_WRITE from access mask for checks on underlying
lower inode.

This means task should still have the MAY_WRITE permission on lower
inode and mounter is not required to have MAY_WRITE.

It also solves the problem of read only NFS mounts being used as lower.
If __inode_permission(lower_inode, MAY_WRITE) is called on read only
NFS, it fails. By resetting MAY_WRITE, check succeeds and case of
read only NFS shold work with overlay without having to specify any
special mount options (default permission).

Signed-off-by: default avatarVivek Goyal <vgoyal@redhat.com>
Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
parent 1175b6b8

fs/overlayfs/inode.c

+2 −0
Original line number Diff line number Diff line
@@ -184,6 +184,8 @@ int ovl_permission(struct inode *inode, int mask) 
		return err;



	old_cred = ovl_override_creds(inode->i_sb);

	if (!is_upper)

		mask &= ~(MAY_WRITE | MAY_APPEND);

	err = __inode_permission(realinode, mask);

	revert_creds(old_cred);

CRA Git | Maintained and supported by SUSTech CRA and CCSE