[PATCH] vfs: allow unprivileged whiteout creation
Miklos Szeredi
miklos at szeredi.hu
Tue May 5 10:50:56 UTC 2020
On Fri, May 1, 2020 at 4:46 PM Ondrej Mosnacek <omosnace at redhat.com> wrote:
>
> On Fri, May 1, 2020 at 9:31 AM Miklos Szeredi <miklos at szeredi.hu> wrote:
> > --- a/fs/namei.c
> > +++ b/fs/namei.c
> > @@ -3505,12 +3505,14 @@ EXPORT_SYMBOL(user_path_create);
> >
> > int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
> > {
> > + bool is_whiteout = S_ISCHR(mode) && dev == WHITEOUT_DEV;
> > int error = may_create(dir, dentry);
> >
> > if (error)
> > return error;
> >
> > - if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD))
> > + if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD) &&
> > + !is_whiteout)
>
> Sorry for sidetracking, but !capable(CAP_MKNOD) needs to be last in
> the chain, otherwise you could get a bogus audit report of CAP_MKNOD
> being denied in case is_whiteout is true.
Thanks, fixed in the latest revision.
Miklos
More information about the Linux-security-module-archive
mailing list