Commit 40056782 authored by Seth Forshee's avatar Seth Forshee Committed by Tim Gardner

UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs

The original mounter had CAP_SYS_ADMIN in the user namespace
where the mount happened, and the vfs has validated that the user
has permission to do the requested operation. This is sufficient
for allowing the kernel to write these specific xattrs, so bypass
the permission checks for these xattrs.

BugLink: http://bugs.launchpad.net/bugs/1531747
BugLink: http://bugs.launchpad.net/bugs/1534961
BugLink: http://bugs.launchpad.net/bugs/1535150Signed-off-by: default avatarSeth Forshee <seth.forshee@canonical.com>
Signed-off-by: default avatarAndy Whitcroft <apw@canonical.com>
parent e5e96b1e
...@@ -60,7 +60,7 @@ int ovl_do_whiteout_v1(struct inode *workdir, ...@@ -60,7 +60,7 @@ int ovl_do_whiteout_v1(struct inode *workdir,
if (err) if (err)
return err; return err;
err = vfs_setxattr(dentry, ovl_whiteout_xattr, "y", 1, 0); err = ovl_do_setxattr(dentry, ovl_whiteout_xattr, "y", 1, 0);
if (err) if (err)
vfs_unlink(workdir, dentry, NULL); vfs_unlink(workdir, dentry, NULL);
......
...@@ -95,7 +95,14 @@ static inline int ovl_do_symlink(struct inode *dir, struct dentry *dentry, ...@@ -95,7 +95,14 @@ static inline int ovl_do_symlink(struct inode *dir, struct dentry *dentry,
static inline int ovl_do_setxattr(struct dentry *dentry, const char *name, static inline int ovl_do_setxattr(struct dentry *dentry, const char *name,
const void *value, size_t size, int flags) const void *value, size_t size, int flags)
{ {
int err = vfs_setxattr(dentry, name, value, size, flags); struct inode *inode = dentry->d_inode;
int err = -EOPNOTSUPP;
mutex_lock(&inode->i_mutex);
if (inode->i_op->setxattr)
err = inode->i_op->setxattr(dentry, name, value, size, flags);
mutex_unlock(&inode->i_mutex);
pr_debug("setxattr(%pd2, \"%s\", \"%*s\", 0x%x) = %i\n", pr_debug("setxattr(%pd2, \"%s\", \"%*s\", 0x%x) = %i\n",
dentry, name, (int) size, (char *) value, flags, err); dentry, name, (int) size, (char *) value, flags, err);
return err; return err;
...@@ -103,7 +110,14 @@ static inline int ovl_do_setxattr(struct dentry *dentry, const char *name, ...@@ -103,7 +110,14 @@ static inline int ovl_do_setxattr(struct dentry *dentry, const char *name,
static inline int ovl_do_removexattr(struct dentry *dentry, const char *name) static inline int ovl_do_removexattr(struct dentry *dentry, const char *name)
{ {
int err = vfs_removexattr(dentry, name); struct inode *inode = dentry->d_inode;
int err = -EOPNOTSUPP;
mutex_lock(&inode->i_mutex);
if (inode->i_op->removexattr)
err = inode->i_op->removexattr(dentry, name);
mutex_unlock(&inode->i_mutex);
pr_debug("removexattr(%pd2, \"%s\") = %i\n", dentry, name, err); pr_debug("removexattr(%pd2, \"%s\") = %i\n", dentry, name, err);
return err; return err;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment