diff options
| author | Stephen Smalley <sds@tycho.nsa.gov> | 2017-03-10 12:14:18 -0500 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2017-03-29 17:33:11 -0400 |
| commit | 2a4c22426955d4fc04069811997b7390c0fb858e (patch) | |
| tree | 5ca50881e92de4a8c25947b4adc2d8dd53bc01a5 | |
| parent | 710a0647ba955abd25460c36a09d80fdbe878273 (diff) | |
fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks
generic_permission() presently checks CAP_DAC_OVERRIDE prior to
CAP_DAC_READ_SEARCH. This can cause misleading audit messages when
using a LSM such as SELinux or AppArmor, since CAP_DAC_OVERRIDE
may not be required for the operation. Flip the order of the
tests so that CAP_DAC_OVERRIDE is only checked when required for
the operation.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Acked-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
| -rw-r--r-- | fs/namei.c | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/fs/namei.c b/fs/namei.c index d41fab78798b..482414aa558b 100644 --- a/fs/namei.c +++ b/fs/namei.c | |||
| @@ -340,22 +340,14 @@ int generic_permission(struct inode *inode, int mask) | |||
| 340 | 340 | ||
| 341 | if (S_ISDIR(inode->i_mode)) { | 341 | if (S_ISDIR(inode->i_mode)) { |
| 342 | /* DACs are overridable for directories */ | 342 | /* DACs are overridable for directories */ |
| 343 | if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) | ||
| 344 | return 0; | ||
| 345 | if (!(mask & MAY_WRITE)) | 343 | if (!(mask & MAY_WRITE)) |
| 346 | if (capable_wrt_inode_uidgid(inode, | 344 | if (capable_wrt_inode_uidgid(inode, |
| 347 | CAP_DAC_READ_SEARCH)) | 345 | CAP_DAC_READ_SEARCH)) |
| 348 | return 0; | 346 | return 0; |
| 349 | return -EACCES; | ||
| 350 | } | ||
| 351 | /* | ||
| 352 | * Read/write DACs are always overridable. | ||
| 353 | * Executable DACs are overridable when there is | ||
| 354 | * at least one exec bit set. | ||
| 355 | */ | ||
| 356 | if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO)) | ||
| 357 | if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) | 347 | if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) |
| 358 | return 0; | 348 | return 0; |
| 349 | return -EACCES; | ||
| 350 | } | ||
| 359 | 351 | ||
| 360 | /* | 352 | /* |
| 361 | * Searching includes executable on directories, else just read. | 353 | * Searching includes executable on directories, else just read. |
| @@ -364,6 +356,14 @@ int generic_permission(struct inode *inode, int mask) | |||
| 364 | if (mask == MAY_READ) | 356 | if (mask == MAY_READ) |
| 365 | if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH)) | 357 | if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH)) |
| 366 | return 0; | 358 | return 0; |
| 359 | /* | ||
| 360 | * Read/write DACs are always overridable. | ||
| 361 | * Executable DACs are overridable when there is | ||
| 362 | * at least one exec bit set. | ||
| 363 | */ | ||
| 364 | if (!(mask & MAY_EXEC) || (inode->i_mode & S_IXUGO)) | ||
| 365 | if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE)) | ||
| 366 | return 0; | ||
| 367 | 367 | ||
| 368 | return -EACCES; | 368 | return -EACCES; |
| 369 | } | 369 | } |