Commit 05acefb4 authored by Miklos Szeredi's avatar Miklos Szeredi
Browse files

ovl: check permission to open real file 



Call inode_permission() on real inode before opening regular file on one of
the underlying layers.

In some cases ovl_permission() already checks access to an underlying file,
but it misses the metacopy case, and possibly other ones as well.

Removing the redundant permission check from ovl_permission() should be
considered later.

Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
parent 292f902a

fs/overlayfs/file.c

+14 −2
Original line number Diff line number Diff line
@@ -40,10 +40,22 @@ static struct file *ovl_open_realfile(const struct file *file, 
	struct file *realfile;

	const struct cred *old_cred;

	int flags = file->f_flags | O_NOATIME | FMODE_NONOTIFY;

	int acc_mode = ACC_MODE(flags);

	int err;



	if (flags & O_APPEND)

		acc_mode |= MAY_APPEND;



	old_cred = ovl_override_creds(inode->i_sb);

	err = inode_permission(realinode, MAY_OPEN | acc_mode);

	if (err) {

		realfile = ERR_PTR(err);

	} else if (!inode_owner_or_capable(realinode)) {

		realfile = ERR_PTR(-EPERM);

	} else {

		realfile = open_with_fake_path(&file->f_path, flags, realinode,

					       current_cred());

	}

	revert_creds(old_cred);



	pr_debug("open(%p[%pD2/%c], 0%o) -> (%p, 0%o)\n",