1 files changed, 42 insertions, 14 deletions
diff --git a/fs/namei.c b/fs/namei.c
index 5a9a6c3094da..54fc993e3027 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -70,7 +70,7 @@
 * name indicated by the symlink. The old code always complained that the
 * name already exists, due to not following the symlink even if its target
 * is nonexistent.  The new semantics affects also mknod() and link() when
- * the name is a symlink pointing to a non-existant name.
+ * the name is a symlink pointing to a non-existent name.
 *
 * I don't know which semantics is the right one, since I have no access
 * to standards. But I found by trial that HP-UX 9.0 has the full "new"
@@ -183,6 +183,9 @@ static int acl_permission_check(struct inode *inode, int mask, unsigned int flag
        mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
+        if (current_user_ns() != inode_userns(inode))
+                goto other_perms;
        if (current_fsuid() == inode->i_uid)
                mode >>= 6;
        else {
@@ -196,6 +199,7 @@ static int acl_permission_check(struct inode *inode, int mask, unsigned int flag
                        mode >>= 3;
        }
+other_perms:
        /*
         * If the DACs are ok we don't need any capability check.
         */
@@ -237,7 +241,7 @@ int generic_permission(struct inode *inode, int mask, unsigned int flags,
         * Executable DACs are overridable if at least one exec bit is set.
         */
        if (!(mask & MAY_EXEC) || execute_ok(inode))
-                if (capable(CAP_DAC_OVERRIDE))
+                if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
                        return 0;
        /*
@@ -245,7 +249,7 @@ int generic_permission(struct inode *inode, int mask, unsigned int flags,
         */
        mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
        if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
-                if (capable(CAP_DAC_READ_SEARCH))
+                if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
                        return 0;
        return -EACCES;
@@ -654,6 +658,7 @@ static inline int handle_reval_path(struct nameidata *nd)
 static inline int exec_permission(struct inode *inode, unsigned int flags)
 {
        int ret;
+        struct user_namespace *ns = inode_userns(inode);
        if (inode->i_op->permission) {
                ret = inode->i_op->permission(inode, MAY_EXEC, flags);
@@ -666,7 +671,8 @@ static inline int exec_permission(struct inode *inode, unsigned int flags)
        if (ret == -ECHILD)
                return ret;
-        if (capable(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
+        if (ns_capable(ns, CAP_DAC_OVERRIDE) ||
+                        ns_capable(ns, CAP_DAC_READ_SEARCH))
                goto ok;
        return ret;
@@ -691,6 +697,7 @@ static __always_inline void set_root_rcu(struct nameidata *nd)
                do {
                        seq = read_seqcount_begin(&fs->seq);
                        nd->root = fs->root;
+                        nd->seq = __read_seqcount_begin(&nd->root.dentry->d_seq);
                } while (read_seqcount_retry(&fs->seq, seq));
        }
 }
@@ -986,6 +993,12 @@ int follow_down_one(struct path *path)
        return 0;
 }
+static inline bool managed_dentry_might_block(struct dentry *dentry)
+{
+        return (dentry->d_flags & DCACHE_MANAGE_TRANSIT &&
+                dentry->d_op->d_manage(dentry, true) < 0);
+}
 /*
 * Skip to top of mountpoint pile in rcuwalk mode.  We abort the rcu-walk if we
 * meet a managed dentry and we're not walking to "..".  True is returned to
@@ -994,19 +1007,26 @@ int follow_down_one(struct path *path)
 static bool __follow_mount_rcu(struct nameidata *nd, struct path *path,
                               struct inode **inode, bool reverse_transit)
 {
-        while (d_mountpoint(path->dentry)) {
+        for (;;) {
                struct vfsmount *mounted;
-                if (unlikely(path->dentry->d_flags & DCACHE_MANAGE_TRANSIT) &&
+                /*
-                    !reverse_transit &&
+                 * Don't forget we might have a non-mountpoint managed dentry
-                    path->dentry->d_op->d_manage(path->dentry, true) < 0)
+                 * that wants to block transit.
+                 */
+                *inode = path->dentry->d_inode;
+                if (!reverse_transit &&
+                     unlikely(managed_dentry_might_block(path->dentry)))
                        return false;
+                if (!d_mountpoint(path->dentry))
+                        break;
                mounted = __lookup_mnt(path->mnt, path->dentry, 1);
                if (!mounted)
                        break;
                path->mnt = mounted;
                path->dentry = mounted->mnt_root;
                nd->seq = read_seqcount_begin(&path->dentry->d_seq);
-                *inode = path->dentry->d_inode;
        }
        if (unlikely(path->dentry->d_flags & DCACHE_NEED_AUTOMOUNT))
@@ -1644,13 +1664,16 @@ static int path_lookupat(int dfd, const char *name,
                        err = -ECHILD;
        }
-        if (!err)
+        if (!err) {
                err = handle_reval_path(nd);
+                if (err)
+                        path_put(&nd->path);
+        }
        if (!err && nd->flags & LOOKUP_DIRECTORY) {
                if (!nd->inode->i_op->lookup) {
                        path_put(&nd->path);
-                        return -ENOTDIR;
+                        err = -ENOTDIR;
                }
        }
@@ -1842,11 +1865,15 @@ static inline int check_sticky(struct inode *dir, struct inode *inode)
        if (!(dir->i_mode & S_ISVTX))
                return 0;
+        if (current_user_ns() != inode_userns(inode))
+                goto other_userns;
        if (inode->i_uid == fsuid)
                return 0;
        if (dir->i_uid == fsuid)
                return 0;
-        return !capable(CAP_FOWNER);
+other_userns:
+        return !ns_capable(inode_userns(inode), CAP_FOWNER);
 }
 /*
@@ -2026,7 +2053,7 @@ static int may_open(struct path *path, int acc_mode, int flag)
        }
        /* O_NOATIME can only be set by the owner or superuser */
-        if (flag & O_NOATIME && !is_owner_or_cap(inode))
+        if (flag & O_NOATIME && !inode_owner_or_capable(inode))
                return -EPERM;
        /*
@@ -2440,7 +2467,8 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
        if (error)
                return error;
-        if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD))
+        if ((S_ISCHR(mode) || S_ISBLK(mode)) &&
+            !ns_capable(inode_userns(dir), CAP_MKNOD))
                return -EPERM;
        if (!dir->i_op->mknod)

diff --git a/fs/namei.c b/fs/namei.c index 5a9a6c3094da..54fc993e3027 100644 --- a/fs/namei.c +++ b/fs/namei.c
@@ -70,7 +70,7 @@
70	* name indicated by the symlink. The old code always complained that the	70	* name indicated by the symlink. The old code always complained that the
71	* name already exists, due to not following the symlink even if its target	71	* name already exists, due to not following the symlink even if its target
72	* is nonexistent. The new semantics affects also mknod() and link() when	72	* is nonexistent. The new semantics affects also mknod() and link() when
73	* the name is a symlink pointing to a non-existant name.	73	* the name is a symlink pointing to a non-existent name.
74	*	74	*
75	* I don't know which semantics is the right one, since I have no access	75	* I don't know which semantics is the right one, since I have no access
76	* to standards. But I found by trial that HP-UX 9.0 has the full "new"	76	* to standards. But I found by trial that HP-UX 9.0 has the full "new"
@@ -183,6 +183,9 @@ static int acl_permission_check(struct inode *inode, int mask, unsigned int flag
183		183
184	mask &= MAY_READ \| MAY_WRITE \| MAY_EXEC;	184	mask &= MAY_READ \| MAY_WRITE \| MAY_EXEC;
185		185
		186	if (current_user_ns() != inode_userns(inode))
		187	goto other_perms;
		188
186	if (current_fsuid() == inode->i_uid)	189	if (current_fsuid() == inode->i_uid)
187	mode >>= 6;	190	mode >>= 6;
188	else {	191	else {
@@ -196,6 +199,7 @@ static int acl_permission_check(struct inode *inode, int mask, unsigned int flag
196	mode >>= 3;	199	mode >>= 3;
197	}	200	}
198		201
		202	other_perms:
199	/*	203	/*
200	* If the DACs are ok we don't need any capability check.	204	* If the DACs are ok we don't need any capability check.
201	*/	205	*/
@@ -237,7 +241,7 @@ int generic_permission(struct inode *inode, int mask, unsigned int flags,
237	* Executable DACs are overridable if at least one exec bit is set.	241	* Executable DACs are overridable if at least one exec bit is set.
238	*/	242	*/
239	if (!(mask & MAY_EXEC) \|\| execute_ok(inode))	243	if (!(mask & MAY_EXEC) \|\| execute_ok(inode))
240	if (capable(CAP_DAC_OVERRIDE))	244	if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
241	return 0;	245	return 0;
242		246
243	/*	247	/*
@@ -245,7 +249,7 @@ int generic_permission(struct inode *inode, int mask, unsigned int flags,
245	*/	249	*/
246	mask &= MAY_READ \| MAY_WRITE \| MAY_EXEC;	250	mask &= MAY_READ \| MAY_WRITE \| MAY_EXEC;
247	if (mask == MAY_READ \|\| (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))	251	if (mask == MAY_READ \|\| (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
248	if (capable(CAP_DAC_READ_SEARCH))	252	if (ns_capable(inode_userns(inode), CAP_DAC_READ_SEARCH))
249	return 0;	253	return 0;
250		254
251	return -EACCES;	255	return -EACCES;
@@ -654,6 +658,7 @@ static inline int handle_reval_path(struct nameidata *nd)
654	static inline int exec_permission(struct inode *inode, unsigned int flags)	658	static inline int exec_permission(struct inode *inode, unsigned int flags)
655	{	659	{
656	int ret;	660	int ret;
		661	struct user_namespace *ns = inode_userns(inode);
657		662
658	if (inode->i_op->permission) {	663	if (inode->i_op->permission) {
659	ret = inode->i_op->permission(inode, MAY_EXEC, flags);	664	ret = inode->i_op->permission(inode, MAY_EXEC, flags);
@@ -666,7 +671,8 @@ static inline int exec_permission(struct inode *inode, unsigned int flags)
666	if (ret == -ECHILD)	671	if (ret == -ECHILD)
667	return ret;	672	return ret;
668		673
669	if (capable(CAP_DAC_OVERRIDE) \|\| capable(CAP_DAC_READ_SEARCH))	674	if (ns_capable(ns, CAP_DAC_OVERRIDE) \|\|
		675	ns_capable(ns, CAP_DAC_READ_SEARCH))
670	goto ok;	676	goto ok;
671		677
672	return ret;	678	return ret;
@@ -691,6 +697,7 @@ static __always_inline void set_root_rcu(struct nameidata *nd)
691	do {	697	do {
692	seq = read_seqcount_begin(&fs->seq);	698	seq = read_seqcount_begin(&fs->seq);
693	nd->root = fs->root;	699	nd->root = fs->root;
		700	nd->seq = __read_seqcount_begin(&nd->root.dentry->d_seq);
694	} while (read_seqcount_retry(&fs->seq, seq));	701	} while (read_seqcount_retry(&fs->seq, seq));
695	}	702	}
696	}	703	}
@@ -986,6 +993,12 @@ int follow_down_one(struct path *path)
986	return 0;	993	return 0;
987	}	994	}
988		995
		996	static inline bool managed_dentry_might_block(struct dentry *dentry)
		997	{
		998	return (dentry->d_flags & DCACHE_MANAGE_TRANSIT &&
		999	dentry->d_op->d_manage(dentry, true) < 0);
		1000	}
		1001
989	/*	1002	/*
990	* Skip to top of mountpoint pile in rcuwalk mode. We abort the rcu-walk if we	1003	* Skip to top of mountpoint pile in rcuwalk mode. We abort the rcu-walk if we
991	* meet a managed dentry and we're not walking to "..". True is returned to	1004	* meet a managed dentry and we're not walking to "..". True is returned to
@@ -994,19 +1007,26 @@ int follow_down_one(struct path *path)
994	static bool __follow_mount_rcu(struct nameidata nd, struct path path,	1007	static bool __follow_mount_rcu(struct nameidata nd, struct path path,
995	struct inode **inode, bool reverse_transit)	1008	struct inode **inode, bool reverse_transit)
996	{	1009	{
997	while (d_mountpoint(path->dentry)) {	1010	for (;;) {
998	struct vfsmount *mounted;	1011	struct vfsmount *mounted;
999	if (unlikely(path->dentry->d_flags & DCACHE_MANAGE_TRANSIT) &&	1012	/*
1000	!reverse_transit &&	1013	* Don't forget we might have a non-mountpoint managed dentry
1001	path->dentry->d_op->d_manage(path->dentry, true) < 0)	1014	* that wants to block transit.
		1015	*/
		1016	*inode = path->dentry->d_inode;
		1017	if (!reverse_transit &&
		1018	unlikely(managed_dentry_might_block(path->dentry)))
1002	return false;	1019	return false;
		1020
		1021	if (!d_mountpoint(path->dentry))
		1022	break;
		1023
1003	mounted = __lookup_mnt(path->mnt, path->dentry, 1);	1024	mounted = __lookup_mnt(path->mnt, path->dentry, 1);
1004	if (!mounted)	1025	if (!mounted)
1005	break;	1026	break;
1006	path->mnt = mounted;	1027	path->mnt = mounted;
1007	path->dentry = mounted->mnt_root;	1028	path->dentry = mounted->mnt_root;
1008	nd->seq = read_seqcount_begin(&path->dentry->d_seq);	1029	nd->seq = read_seqcount_begin(&path->dentry->d_seq);
1009	*inode = path->dentry->d_inode;
1010	}	1030	}
1011		1031
1012	if (unlikely(path->dentry->d_flags & DCACHE_NEED_AUTOMOUNT))	1032	if (unlikely(path->dentry->d_flags & DCACHE_NEED_AUTOMOUNT))
@@ -1644,13 +1664,16 @@ static int path_lookupat(int dfd, const char *name,
1644	err = -ECHILD;	1664	err = -ECHILD;
1645	}	1665	}
1646		1666
1647	if (!err)	1667	if (!err) {
1648	err = handle_reval_path(nd);	1668	err = handle_reval_path(nd);
		1669	if (err)
		1670	path_put(&nd->path);
		1671	}
1649		1672
1650	if (!err && nd->flags & LOOKUP_DIRECTORY) {	1673	if (!err && nd->flags & LOOKUP_DIRECTORY) {
1651	if (!nd->inode->i_op->lookup) {	1674	if (!nd->inode->i_op->lookup) {
1652	path_put(&nd->path);	1675	path_put(&nd->path);
1653	return -ENOTDIR;	1676	err = -ENOTDIR;
1654	}	1677	}
1655	}	1678	}
1656		1679
@@ -1842,11 +1865,15 @@ static inline int check_sticky(struct inode dir, struct inode inode)
1842		1865
1843	if (!(dir->i_mode & S_ISVTX))	1866	if (!(dir->i_mode & S_ISVTX))
1844	return 0;	1867	return 0;
		1868	if (current_user_ns() != inode_userns(inode))
		1869	goto other_userns;
1845	if (inode->i_uid == fsuid)	1870	if (inode->i_uid == fsuid)
1846	return 0;	1871	return 0;
1847	if (dir->i_uid == fsuid)	1872	if (dir->i_uid == fsuid)
1848	return 0;	1873	return 0;
1849	return !capable(CAP_FOWNER);	1874
		1875	other_userns:
		1876	return !ns_capable(inode_userns(inode), CAP_FOWNER);
1850	}	1877	}
1851		1878
1852	/*	1879	/*
@@ -2026,7 +2053,7 @@ static int may_open(struct path *path, int acc_mode, int flag)
2026	}	2053	}
2027		2054
2028	/* O_NOATIME can only be set by the owner or superuser */	2055	/* O_NOATIME can only be set by the owner or superuser */
2029	if (flag & O_NOATIME && !is_owner_or_cap(inode))	2056	if (flag & O_NOATIME && !inode_owner_or_capable(inode))
2030	return -EPERM;	2057	return -EPERM;
2031		2058
2032	/*	2059	/*
@@ -2440,7 +2467,8 @@ int vfs_mknod(struct inode dir, struct dentry dentry, int mode, dev_t dev)
2440	if (error)	2467	if (error)
2441	return error;	2468	return error;
2442		2469
2443	if ((S_ISCHR(mode) \|\| S_ISBLK(mode)) && !capable(CAP_MKNOD))	2470	if ((S_ISCHR(mode) \|\| S_ISBLK(mode)) &&
		2471	!ns_capable(inode_userns(dir), CAP_MKNOD))
2444	return -EPERM;	2472	return -EPERM;
2445		2473
2446	if (!dir->i_op->mknod)	2474	if (!dir->i_op->mknod)