[PATCH 5/5] fs: Avoid premature clearing of capabilities
Christoph Hellwig
hch at infradead.org
Tue Aug 9 03:29:12 CDT 2016
On Wed, Aug 03, 2016 at 01:28:09PM +0200, Jan Kara wrote:
> Currently, notify_change() clears capabilities or IMA attributes by
> calling security_inode_killpriv() before calling into ->setattr. Thus it
> happens before any other permission checks in inode_change_ok() and user
> is thus allowed to trigger clearing of capabilities or IMA attributes
> for any file he can look up e.g. by calling chown for that file. This is
> unexpected and can lead to user DoSing a system.
>
> Fix the problem by calling security_inode_killpriv() at the end of
> inode_change_ok() instead of from notify_change(). At that moment we are
> sure user has permissions to do the requested change.
Looks fine,
Reviewed-by: Christoph Hellwig <hch at lst.de>
More information about the xfs
mailing list