| To: | Jan Kara <jack@xxxxxxx> |
|---|---|
| Subject: | Re: [PATCH 5/5] fs: Avoid premature clearing of capabilities |
| From: | Christoph Hellwig <hch@xxxxxxxxxxxxx> |
| Date: | Tue, 9 Aug 2016 01:29:12 -0700 |
| Cc: | Al Viro <viro@xxxxxxxxxxxxxxxxxx>, Miklos Szeredi <miklos@xxxxxxxxxx>, xfs@xxxxxxxxxxx, "Yan, Zheng" <zyan@xxxxxxxxxx>, linux-fsdevel@xxxxxxxxxxxxxxx, Ilya Dryomov <idryomov@xxxxxxxxx>, ceph-devel@xxxxxxxxxxxxxxx |
| Delivered-to: | xfs@xxxxxxxxxxx |
| In-reply-to: | <1470223689-17783-6-git-send-email-jack@xxxxxxx> |
| References: | <1470223689-17783-1-git-send-email-jack@xxxxxxx> <1470223689-17783-6-git-send-email-jack@xxxxxxx> |
| User-agent: | Mutt/1.6.1 (2016-04-27) |
On Wed, Aug 03, 2016 at 01:28:09PM +0200, Jan Kara wrote: > Currently, notify_change() clears capabilities or IMA attributes by > calling security_inode_killpriv() before calling into ->setattr. Thus it > happens before any other permission checks in inode_change_ok() and user > is thus allowed to trigger clearing of capabilities or IMA attributes > for any file he can look up e.g. by calling chown for that file. This is > unexpected and can lead to user DoSing a system. > > Fix the problem by calling security_inode_killpriv() at the end of > inode_change_ok() instead of from notify_change(). At that moment we are > sure user has permissions to do the requested change. Looks fine, Reviewed-by: Christoph Hellwig <hch@xxxxxx> |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: [PATCH 4/5] fs: Give dentry to inode_change_ok() instead of inode, Christoph Hellwig |
|---|---|
| Next by Date: | Re: [PATCH] xfs: kill __uint*_t and __int*_t, Christoph Hellwig |
| Previous by Thread: | [PATCH 5/5] fs: Avoid premature clearing of capabilities, Jan Kara |
| Next by Thread: | [PATCH 4/5] fs: Give dentry to inode_change_ok() instead of inode, Jan Kara |
| Indexes: | [Date] [Thread] [Top] [All Lists] |