From: Miklos Szeredi Date: Mon, 14 Dec 2020 14:26:14 +0000 (+0100) Subject: ovl: check privs before decoding file handle X-Git-Tag: accepted/tizen/unified/20230118.172025~8235^2~7 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=c846af050f944d584f28bc0de310383003c8096d;p=platform%2Fkernel%2Flinux-rpi.git ovl: check privs before decoding file handle CAP_DAC_READ_SEARCH is required by open_by_handle_at(2) so check it in ovl_decode_real_fh() as well to prevent privilege escalation for unprivileged overlay mounts. [Amir] If the mounter is not capable in init ns, ovl_check_origin() and ovl_verify_index() will not function as expected and this will break index and nfs export features. So check capability in ovl_can_decode_fh(), to auto disable those features. Signed-off-by: Miklos Szeredi --- diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c index 509dac7..3fe05fb 100644 --- a/fs/overlayfs/namei.c +++ b/fs/overlayfs/namei.c @@ -156,6 +156,9 @@ struct dentry *ovl_decode_real_fh(struct ovl_fs *ofs, struct ovl_fh *fh, struct dentry *real; int bytes; + if (!capable(CAP_DAC_READ_SEARCH)) + return NULL; + /* * Make sure that the stored uuid matches the uuid of the lower * layer where file handle will be decoded. diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c index 44b4b62..ced63c7 100644 --- a/fs/overlayfs/util.c +++ b/fs/overlayfs/util.c @@ -50,6 +50,9 @@ const struct cred *ovl_override_creds(struct super_block *sb) */ int ovl_can_decode_fh(struct super_block *sb) { + if (!capable(CAP_DAC_READ_SEARCH)) + return 0; + if (!sb->s_export_op || !sb->s_export_op->fh_to_dentry) return 0;