diff options
author | Tyler Hicks <tyhicks@linux.vnet.ibm.com> | 2009-03-12 01:19:46 -0400 |
---|---|---|
committer | Tyler Hicks <tyhicks@linux.vnet.ibm.com> | 2009-04-22 04:54:12 -0400 |
commit | ae6e84596e7b321d9a08e81679c6a3f799634636 (patch) | |
tree | a81baed56b7384321cf3d282e2d41f785fe30853 /fs/ecryptfs | |
parent | 091069740304c979f957ceacec39c461d0192158 (diff) |
eCryptfs: Copy lower inode attrs before dentry instantiation
Copies the lower inode attributes to the upper inode before passing the
upper inode to d_instantiate(). This is important for
security_d_instantiate().
The problem was discovered by a user seeing SELinux denials like so:
type=AVC msg=audit(1236812817.898:47): avc: denied { 0x100000 } for
pid=3584 comm="httpd" name="testdir" dev=ecryptfs ino=943872
scontext=root:system_r:httpd_t:s0
tcontext=root:object_r:httpd_sys_content_t:s0 tclass=file
Notice target class is file while testdir is really a directory,
confusing the permission translation (0x100000) due to the wrong i_mode.
Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Diffstat (limited to 'fs/ecryptfs')
-rw-r--r-- | fs/ecryptfs/main.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/fs/ecryptfs/main.c b/fs/ecryptfs/main.c index aed56c25539b..7638b0a02c8d 100644 --- a/fs/ecryptfs/main.c +++ b/fs/ecryptfs/main.c | |||
@@ -190,14 +190,14 @@ int ecryptfs_interpose(struct dentry *lower_dentry, struct dentry *dentry, | |||
190 | init_special_inode(inode, lower_inode->i_mode, | 190 | init_special_inode(inode, lower_inode->i_mode, |
191 | lower_inode->i_rdev); | 191 | lower_inode->i_rdev); |
192 | dentry->d_op = &ecryptfs_dops; | 192 | dentry->d_op = &ecryptfs_dops; |
193 | if (flags & ECRYPTFS_INTERPOSE_FLAG_D_ADD) | ||
194 | d_add(dentry, inode); | ||
195 | else | ||
196 | d_instantiate(dentry, inode); | ||
197 | fsstack_copy_attr_all(inode, lower_inode, NULL); | 193 | fsstack_copy_attr_all(inode, lower_inode, NULL); |
198 | /* This size will be overwritten for real files w/ headers and | 194 | /* This size will be overwritten for real files w/ headers and |
199 | * other metadata */ | 195 | * other metadata */ |
200 | fsstack_copy_inode_size(inode, lower_inode); | 196 | fsstack_copy_inode_size(inode, lower_inode); |
197 | if (flags & ECRYPTFS_INTERPOSE_FLAG_D_ADD) | ||
198 | d_add(dentry, inode); | ||
199 | else | ||
200 | d_instantiate(dentry, inode); | ||
201 | out: | 201 | out: |
202 | return rc; | 202 | return rc; |
203 | } | 203 | } |