ovl: check privs before decoding file handle

CAP_DAC_READ_SEARCH is required by open_by_handle_at(2) so check it in
ovl_decode_real_fh() as well to prevent privilege escalation for
unprivileged overlay mounts.

[Amir] If the mounter is not capable in init ns, ovl_check_origin() and
ovl_verify_index() will not function as expected and this will break index
and nfs export features.  So check capability in ovl_can_decode_fh(), to
auto disable those features.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c
index 509dac77af611b62ecc8ac0d363a137d158ff30b..3fe05fb5d14592a7b34d4ce545d12a27d937e7dd 100644 (file)
--- a/fs/overlayfs/namei.c
+++ b/fs/overlayfs/namei.c
@@ -156,6 +156,9 @@ struct dentry *ovl_decode_real_fh(struct ovl_fs *ofs, struct ovl_fh *fh,
        struct dentry *real;
        int bytes;
 
+       if (!capable(CAP_DAC_READ_SEARCH))
+               return NULL;
+
        /*
         * Make sure that the stored uuid matches the uuid of the lower
         * layer where file handle will be decoded.

diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c
index 44b4b62a8ac891268714cc8c5b05e0426cbc19e4..ced63c79e9ddcace5d22ee30edc8803c38f29516 100644 (file)
--- a/fs/overlayfs/util.c
+++ b/fs/overlayfs/util.c
@@ -50,6 +50,9 @@ const struct cred *ovl_override_creds(struct super_block *sb)
  */
 int ovl_can_decode_fh(struct super_block *sb)
 {
+       if (!capable(CAP_DAC_READ_SEARCH))
+               return 0;
+
        if (!sb->s_export_op || !sb->s_export_op->fh_to_dentry)
                return 0;