Commit 4b7791b2 authored by Christian Brauner's avatar Christian Brauner Committed by Miklos Szeredi
Browse files

ovl: handle idmappings in ovl_permission() 



Use the previously introduced ovl_i_path_real() helper to retrieve the
relevant upper or lower path and take the mount's idmapping into account
for the lower layer permission check. This is needed to support idmapped
base layers with overlay.

Cc: <linux-unionfs@vger.kernel.org>
Tested-by: default avatarGiuseppe Scrivano <gscrivan@redhat.com>
Reviewed-by: default avatarAmir Goldstein <amir73il@gmail.com>
Signed-off-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
parent 2878dffc

fs/overlayfs/inode.c

+6 −3
Original line number Diff line number Diff line
@@ -280,12 +280,14 @@ int ovl_permission(struct user_namespace *mnt_userns, 
		   struct inode *inode, int mask)

{

	struct inode *upperinode = ovl_inode_upper(inode);

	struct inode *realinode = upperinode ?: ovl_inode_lower(inode);

	struct inode *realinode;

	struct path realpath;

	const struct cred *old_cred;

	int err;



	/* Careful in RCU walk mode */

	if (!realinode) {

	ovl_i_path_real(inode, &realpath);

	if (!realpath.dentry) {

		WARN_ON(!(mask & MAY_NOT_BLOCK));

		return -ECHILD;

	}
@@ -298,6 +300,7 @@ int ovl_permission(struct user_namespace *mnt_userns, 
	if (err)

		return err;



	realinode = d_inode(realpath.dentry);

	old_cred = ovl_override_creds(inode->i_sb);

	if (!upperinode &&

	    !special_file(realinode->i_mode) && mask & MAY_WRITE) {
@@ -305,7 +308,7 @@ int ovl_permission(struct user_namespace *mnt_userns, 
		/* Make sure mounter can read file for copy up later */

		mask |= MAY_READ;

	}

	err = inode_permission(&init_user_ns, realinode, mask);

	err = inode_permission(mnt_user_ns(realpath.mnt), realinode, mask);

	revert_creds(old_cred);



	return err;