summaryrefslogtreecommitdiff
path: root/fs/attr.c
diff options
context:
space:
mode:
authorMiklos Szeredi <mszeredi@redhat.com>2016-09-16 12:44:20 +0200
committerMiklos Szeredi <mszeredi@redhat.com>2016-09-16 12:44:20 +0200
commitf2b20f6ee842313a0d681dbbf7f87b70291a6a3b (patch)
treeb4bea4c83e1968a4f69592e9a7fc15be81750a8c /fs/attr.c
parente71b9dff0634edb127f449e076e883ef24a8c76c (diff)
downloadlwn-f2b20f6ee842313a0d681dbbf7f87b70291a6a3b.tar.gz
lwn-f2b20f6ee842313a0d681dbbf7f87b70291a6a3b.zip
vfs: move permission checking into notify_change() for utimes(NULL)
This fixes a bug where the permission was not properly checked in overlayfs. The testcase is ltp/utimensat01. It is also cleaner and safer to do the permission checking in the vfs helper instead of the caller. This patch introduces an additional ia_valid flag ATTR_TOUCH (since touch(1) is the most obvious user of utimes(NULL)) that is passed into notify_change whenever the conditions for this special permission checking mode are met. Reported-by: Aihua Zhang <zhangaihua1@huawei.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Tested-by: Aihua Zhang <zhangaihua1@huawei.com> Cc: <stable@vger.kernel.org> # v3.18+
Diffstat (limited to 'fs/attr.c')
-rw-r--r--fs/attr.c15
1 files changed, 15 insertions, 0 deletions
diff --git a/fs/attr.c b/fs/attr.c
index 42bb42bb3c72..3c42cab06b5d 100644
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -202,6 +202,21 @@ int notify_change(struct dentry * dentry, struct iattr * attr, struct inode **de
return -EPERM;
}
+ /*
+ * If utimes(2) and friends are called with times == NULL (or both
+ * times are UTIME_NOW), then we need to check for write permission
+ */
+ if (ia_valid & ATTR_TOUCH) {
+ if (IS_IMMUTABLE(inode))
+ return -EPERM;
+
+ if (!inode_owner_or_capable(inode)) {
+ error = inode_permission(inode, MAY_WRITE);
+ if (error)
+ return error;
+ }
+ }
+
if ((ia_valid & ATTR_MODE)) {
umode_t amode = attr->ia_mode;
/* Flag setting protected by i_mutex */