ovl: check privs before decoding file handle (c846af05) · Commits · 戴 / test

CAP_DAC_READ_SEARCH is required by open_by_handle_at(2) so check it in ovl_decode_real_fh() as well to prevent privilege escalation for unprivileged overlay mounts. [Amir] If the mounter is not capable in init ns, ovl_check_origin() and ovl_verify_index() will not function as expected and this will break index and nfs export features. So check capability in ovl_can_decode_fh(), to auto disable those features. Signed-off-by:

Miklos Szeredi <mszeredi@redhat.com>

fs/overlayfs/namei.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -156,6 +156,9 @@ struct dentry ovl_decode_real_fh(struct ovl_fs ofs, struct ovl_fh *fh,
		struct dentry *real;
		int bytes;

		if (!capable(CAP_DAC_READ_SEARCH))
		return NULL;

		/*
		* Make sure that the stored uuid matches the uuid of the lower
		* layer where file handle will be decoded.

fs/overlayfs/util.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -50,6 +50,9 @@ const struct cred ovl_override_creds(struct super_block sb)
		*/
		int ovl_can_decode_fh(struct super_block *sb)
		{
		if (!capable(CAP_DAC_READ_SEARCH))
		return 0;

		if (!sb->s_export_op \|\| !sb->s_export_op->fh_to_dentry)
		return 0;

Admin message