Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cc658db4 authored Jun 21, 2017 by Kees Cook Committed by Al Viro Jun 29, 2017

fs: Reorder inode_owner_or_capable() to avoid needless



Checking for capabilities should be the last operation when performing
access control tests so that PF_SUPERPRIV is set only when it was required
for success (implying that the capability was needed for the operation).

Reported-by: Solar Designer <solar@openwall.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

parent 41124db8

fs/inode.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -2023,7 +2023,7 @@ bool inode_owner_or_capable(const struct inode *inode)
		return true;

		ns = current_user_ns();
		if (ns_capable(ns, CAP_FOWNER) && kuid_has_mapping(ns, inode->i_uid))
		if (kuid_has_mapping(ns, inode->i_uid) && ns_capable(ns, CAP_FOWNER))
		return true;
		return false;
		}

fs/namei.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1008,7 +1008,7 @@ static int may_linkat(struct path *link)
		/* Source inode owner (or CAP_FOWNER) can hardlink all they like,
		* otherwise, it must be a safe source.
		*/
		if (inode_owner_or_capable(inode) \|\| safe_hardlink_source(inode))
		if (safe_hardlink_source(inode) \|\| inode_owner_or_capable(inode))
		return 0;

		audit_log_link_denied("linkat", link);