diff options
author | Jens Axboe <jens.axboe@oracle.com> | 2006-10-17 19:43:22 +0200 |
---|---|---|
committer | Jens Axboe <axboe@nelson.home.kernel.dk> | 2006-10-19 20:53:09 +0200 |
commit | 8c34e2d63231d4bf4852bac8521883944d770fe3 (patch) | |
tree | 13e3332384bd1c5844d7827066815ae0ae75f8aa | |
parent | 01de85e057328ecbef36e108673b1e81059d54c1 (diff) | |
download | lwn-8c34e2d63231d4bf4852bac8521883944d770fe3.tar.gz lwn-8c34e2d63231d4bf4852bac8521883944d770fe3.zip |
[PATCH] Remove SUID when splicing into an inode
Originally from Mark Fasheh <mark.fasheh@oracle.com>
generic_file_splice_write() does not remove S_ISUID or S_ISGID. This is
inconsistent with the way we generally write to files.
Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
-rw-r--r-- | fs/splice.c | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/fs/splice.c b/fs/splice.c index 68e20e65c6e1..49fb9f129938 100644 --- a/fs/splice.c +++ b/fs/splice.c @@ -845,6 +845,10 @@ generic_file_splice_write_nolock(struct pipe_inode_info *pipe, struct file *out, ssize_t ret; int err; + err = remove_suid(out->f_dentry); + if (unlikely(err)) + return err; + ret = __splice_from_pipe(pipe, out, ppos, len, flags, pipe_to_file); if (ret > 0) { *ppos += ret; @@ -883,12 +887,21 @@ generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out, loff_t *ppos, size_t len, unsigned int flags) { struct address_space *mapping = out->f_mapping; + struct inode *inode = mapping->host; ssize_t ret; + int err; + + err = should_remove_suid(out->f_dentry); + if (unlikely(err)) { + mutex_lock(&inode->i_mutex); + err = __remove_suid(out->f_dentry, err); + mutex_unlock(&inode->i_mutex); + if (err) + return err; + } ret = splice_from_pipe(pipe, out, ppos, len, flags, pipe_to_file); if (ret > 0) { - struct inode *inode = mapping->host; - *ppos += ret; /* @@ -896,8 +909,6 @@ generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out, * sync it. */ if (unlikely((out->f_flags & O_SYNC) || IS_SYNC(inode))) { - int err; - mutex_lock(&inode->i_mutex); err = generic_osync_inode(inode, mapping, OSYNC_METADATA|OSYNC_DATA); |