posix_acl: Clear SGID bit when setting file permissions
When file permissions are modified via chmod(2) and the user is not in the owning group or capable of CAP_FSETID, the setgid bit is cleared in inode_change_ok(). Setting a POSIX ACL via setxattr(2) sets the file permissions as well as the new ACL, but doesn't clear the setgid bit in a similar way; this allows to bypass the check in chmod(2). Fix that. References: CVE-2016-7097 Reviewed-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/ linux.git Git-commit: 073931017b49d9458aa351605b43a7e34598caef Change-Id: Idf7cd8d0fb030fedeabd46254e4c4a9c08bce8b5 [d-cagle@codeaurora.org: Resolve merge conflicts and style] Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org> [stummala@codeaurora.org: Resolve merge conflicts on existing files and skip files fs/ceph/acl.c, fs/hfsplus/posix_acl.c and fs/jfs/acl.c from original change as those files are not present/fix is not applicable on 3.10 kernel] Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
This commit is contained in:
parent
067816447b
commit
1f26976892
41
fs/9p/acl.c
41
fs/9p/acl.c
|
@ -320,32 +320,27 @@ static int v9fs_xattr_set_acl(struct dentry *dentry, const char *name,
|
||||||
case ACL_TYPE_ACCESS:
|
case ACL_TYPE_ACCESS:
|
||||||
name = POSIX_ACL_XATTR_ACCESS;
|
name = POSIX_ACL_XATTR_ACCESS;
|
||||||
if (acl) {
|
if (acl) {
|
||||||
umode_t mode = inode->i_mode;
|
struct iattr iattr;
|
||||||
retval = posix_acl_equiv_mode(acl, &mode);
|
|
||||||
if (retval < 0)
|
retval = posix_acl_update_mode(inode,
|
||||||
|
&iattr.ia_mode, &acl);
|
||||||
|
if (retval)
|
||||||
goto err_out;
|
goto err_out;
|
||||||
else {
|
if (!acl) {
|
||||||
struct iattr iattr;
|
/*
|
||||||
if (retval == 0) {
|
* ACL can be represented
|
||||||
/*
|
* by the mode bits. So don't
|
||||||
* ACL can be represented
|
* update ACL.
|
||||||
* by the mode bits. So don't
|
|
||||||
* update ACL.
|
|
||||||
*/
|
|
||||||
acl = NULL;
|
|
||||||
value = NULL;
|
|
||||||
size = 0;
|
|
||||||
}
|
|
||||||
/* Updte the mode bits */
|
|
||||||
iattr.ia_mode = ((mode & S_IALLUGO) |
|
|
||||||
(inode->i_mode & ~S_IALLUGO));
|
|
||||||
iattr.ia_valid = ATTR_MODE;
|
|
||||||
/* FIXME should we update ctime ?
|
|
||||||
* What is the following setxattr update the
|
|
||||||
* mode ?
|
|
||||||
*/
|
*/
|
||||||
v9fs_vfs_setattr_dotl(dentry, &iattr);
|
value = NULL;
|
||||||
|
size = 0;
|
||||||
}
|
}
|
||||||
|
iattr.ia_valid = ATTR_MODE;
|
||||||
|
/* FIXME should we update ctime ?
|
||||||
|
* What is the following setxattr update the
|
||||||
|
* mode ?
|
||||||
|
*/
|
||||||
|
v9fs_vfs_setattr_dotl(dentry, &iattr);
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case ACL_TYPE_DEFAULT:
|
case ACL_TYPE_DEFAULT:
|
||||||
|
|
|
@ -118,11 +118,10 @@ static int btrfs_set_acl(struct btrfs_trans_handle *trans,
|
||||||
case ACL_TYPE_ACCESS:
|
case ACL_TYPE_ACCESS:
|
||||||
name = POSIX_ACL_XATTR_ACCESS;
|
name = POSIX_ACL_XATTR_ACCESS;
|
||||||
if (acl) {
|
if (acl) {
|
||||||
ret = posix_acl_equiv_mode(acl, &inode->i_mode);
|
ret = posix_acl_update_mode(inode,
|
||||||
if (ret < 0)
|
&inode->i_mode, &acl);
|
||||||
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
if (ret == 0)
|
|
||||||
acl = NULL;
|
|
||||||
}
|
}
|
||||||
ret = 0;
|
ret = 0;
|
||||||
break;
|
break;
|
||||||
|
|
|
@ -206,15 +206,12 @@ ext2_set_acl(struct inode *inode, int type, struct posix_acl *acl)
|
||||||
case ACL_TYPE_ACCESS:
|
case ACL_TYPE_ACCESS:
|
||||||
name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS;
|
name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS;
|
||||||
if (acl) {
|
if (acl) {
|
||||||
error = posix_acl_equiv_mode(acl, &inode->i_mode);
|
error = posix_acl_update_mode(inode,
|
||||||
if (error < 0)
|
&inode->i_mode, &acl);
|
||||||
|
if (error)
|
||||||
return error;
|
return error;
|
||||||
else {
|
inode->i_ctime = CURRENT_TIME_SEC;
|
||||||
inode->i_ctime = CURRENT_TIME_SEC;
|
mark_inode_dirty(inode);
|
||||||
mark_inode_dirty(inode);
|
|
||||||
if (error == 0)
|
|
||||||
acl = NULL;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
|
|
@ -211,15 +211,12 @@ ext4_set_acl(handle_t *handle, struct inode *inode, int type,
|
||||||
case ACL_TYPE_ACCESS:
|
case ACL_TYPE_ACCESS:
|
||||||
name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS;
|
name_index = EXT4_XATTR_INDEX_POSIX_ACL_ACCESS;
|
||||||
if (acl) {
|
if (acl) {
|
||||||
error = posix_acl_equiv_mode(acl, &inode->i_mode);
|
error = posix_acl_update_mode(inode,
|
||||||
if (error < 0)
|
&inode->i_mode, &acl);
|
||||||
|
if (error)
|
||||||
return error;
|
return error;
|
||||||
else {
|
inode->i_ctime = ext4_current_time(inode);
|
||||||
inode->i_ctime = ext4_current_time(inode);
|
ext4_mark_inode_dirty(handle, inode);
|
||||||
ext4_mark_inode_dirty(handle, inode);
|
|
||||||
if (error == 0)
|
|
||||||
acl = NULL;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
|
|
@ -223,12 +223,11 @@ static int f2fs_set_acl(struct inode *inode, int type, struct posix_acl *acl)
|
||||||
case ACL_TYPE_ACCESS:
|
case ACL_TYPE_ACCESS:
|
||||||
name_index = F2FS_XATTR_INDEX_POSIX_ACL_ACCESS;
|
name_index = F2FS_XATTR_INDEX_POSIX_ACL_ACCESS;
|
||||||
if (acl) {
|
if (acl) {
|
||||||
error = posix_acl_equiv_mode(acl, &inode->i_mode);
|
error = posix_acl_update_mode(inode,
|
||||||
if (error < 0)
|
&inode->i_mode, &acl);
|
||||||
|
if (error)
|
||||||
return error;
|
return error;
|
||||||
set_acl_inode(fi, inode->i_mode);
|
set_acl_inode(fi, inode->i_mode);
|
||||||
if (error == 0)
|
|
||||||
acl = NULL;
|
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
|
|
@ -267,8 +267,9 @@ static int gfs2_xattr_system_set(struct dentry *dentry, const char *name,
|
||||||
goto out_release;
|
goto out_release;
|
||||||
|
|
||||||
if (type == ACL_TYPE_ACCESS) {
|
if (type == ACL_TYPE_ACCESS) {
|
||||||
umode_t mode = inode->i_mode;
|
umode_t mode;
|
||||||
error = posix_acl_equiv_mode(acl, &mode);
|
|
||||||
|
error = posix_acl_update_mode(inode, &mode, &acl);
|
||||||
|
|
||||||
if (error <= 0) {
|
if (error <= 0) {
|
||||||
posix_acl_release(acl);
|
posix_acl_release(acl);
|
||||||
|
|
|
@ -243,9 +243,10 @@ static int jffs2_set_acl(struct inode *inode, int type, struct posix_acl *acl)
|
||||||
case ACL_TYPE_ACCESS:
|
case ACL_TYPE_ACCESS:
|
||||||
xprefix = JFFS2_XPREFIX_ACL_ACCESS;
|
xprefix = JFFS2_XPREFIX_ACL_ACCESS;
|
||||||
if (acl) {
|
if (acl) {
|
||||||
umode_t mode = inode->i_mode;
|
umode_t mode;
|
||||||
rc = posix_acl_equiv_mode(acl, &mode);
|
|
||||||
if (rc < 0)
|
rc = posix_acl_update_mode(inode, &mode, &acl);
|
||||||
|
if (rc)
|
||||||
return rc;
|
return rc;
|
||||||
if (inode->i_mode != mode) {
|
if (inode->i_mode != mode) {
|
||||||
struct iattr attr;
|
struct iattr attr;
|
||||||
|
@ -257,8 +258,6 @@ static int jffs2_set_acl(struct inode *inode, int type, struct posix_acl *acl)
|
||||||
if (rc < 0)
|
if (rc < 0)
|
||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
if (rc == 0)
|
|
||||||
acl = NULL;
|
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case ACL_TYPE_DEFAULT:
|
case ACL_TYPE_DEFAULT:
|
||||||
|
|
|
@ -274,9 +274,10 @@ static int ocfs2_set_acl(handle_t *handle,
|
||||||
case ACL_TYPE_ACCESS:
|
case ACL_TYPE_ACCESS:
|
||||||
name_index = OCFS2_XATTR_INDEX_POSIX_ACL_ACCESS;
|
name_index = OCFS2_XATTR_INDEX_POSIX_ACL_ACCESS;
|
||||||
if (acl) {
|
if (acl) {
|
||||||
umode_t mode = inode->i_mode;
|
umode_t mode;
|
||||||
ret = posix_acl_equiv_mode(acl, &mode);
|
|
||||||
if (ret < 0)
|
ret = posix_acl_update_mode(inode, &mode, &acl);
|
||||||
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
else {
|
else {
|
||||||
if (ret == 0)
|
if (ret == 0)
|
||||||
|
@ -286,7 +287,6 @@ static int ocfs2_set_acl(handle_t *handle,
|
||||||
handle, mode);
|
handle, mode);
|
||||||
if (ret)
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
|
@ -424,3 +424,34 @@ posix_acl_chmod(struct posix_acl **acl, gfp_t gfp, umode_t mode)
|
||||||
return err;
|
return err;
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL(posix_acl_chmod);
|
EXPORT_SYMBOL(posix_acl_chmod);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* posix_acl_update_mode - update mode in set_acl
|
||||||
|
*
|
||||||
|
* Update the file mode when setting an ACL: compute the new file permission
|
||||||
|
* bits based on the ACL. In addition, if the ACL is equivalent to the new
|
||||||
|
* file mode, set *acl to NULL to indicate that no ACL should be set.
|
||||||
|
*
|
||||||
|
* As with chmod, clear the setgit bit if the caller is not in the owning group
|
||||||
|
* or capable of CAP_FSETID (see inode_change_ok).
|
||||||
|
*
|
||||||
|
* Called from set_acl inode operations.
|
||||||
|
*/
|
||||||
|
int posix_acl_update_mode(struct inode *inode, umode_t *mode_p,
|
||||||
|
struct posix_acl **acl)
|
||||||
|
{
|
||||||
|
umode_t mode = inode->i_mode;
|
||||||
|
int error;
|
||||||
|
|
||||||
|
error = posix_acl_equiv_mode(*acl, &mode);
|
||||||
|
if (error < 0)
|
||||||
|
return error;
|
||||||
|
if (error == 0)
|
||||||
|
*acl = NULL;
|
||||||
|
if (!in_group_p(inode->i_gid) &&
|
||||||
|
!capable_wrt_inode_uidgid(inode, CAP_FSETID))
|
||||||
|
mode &= ~S_ISGID;
|
||||||
|
*mode_p = mode;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
EXPORT_SYMBOL(posix_acl_update_mode);
|
||||||
|
|
|
@ -286,13 +286,10 @@ reiserfs_set_acl(struct reiserfs_transaction_handle *th, struct inode *inode,
|
||||||
case ACL_TYPE_ACCESS:
|
case ACL_TYPE_ACCESS:
|
||||||
name = POSIX_ACL_XATTR_ACCESS;
|
name = POSIX_ACL_XATTR_ACCESS;
|
||||||
if (acl) {
|
if (acl) {
|
||||||
error = posix_acl_equiv_mode(acl, &inode->i_mode);
|
error = posix_acl_update_mode(inode,
|
||||||
if (error < 0)
|
&inode->i_mode, &acl);
|
||||||
|
if (error)
|
||||||
return error;
|
return error;
|
||||||
else {
|
|
||||||
if (error == 0)
|
|
||||||
acl = NULL;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case ACL_TYPE_DEFAULT:
|
case ACL_TYPE_DEFAULT:
|
||||||
|
|
|
@ -388,8 +388,9 @@ xfs_xattr_acl_set(struct dentry *dentry, const char *name,
|
||||||
goto out_release;
|
goto out_release;
|
||||||
|
|
||||||
if (type == ACL_TYPE_ACCESS) {
|
if (type == ACL_TYPE_ACCESS) {
|
||||||
umode_t mode = inode->i_mode;
|
umode_t mode;
|
||||||
error = posix_acl_equiv_mode(acl, &mode);
|
|
||||||
|
error = posix_acl_update_mode(inode, &mode, &acl);
|
||||||
|
|
||||||
if (error <= 0) {
|
if (error <= 0) {
|
||||||
posix_acl_release(acl);
|
posix_acl_release(acl);
|
||||||
|
|
|
@ -95,6 +95,9 @@ extern struct posix_acl *get_posix_acl(struct inode *, int);
|
||||||
extern int set_posix_acl(struct inode *, int, struct posix_acl *);
|
extern int set_posix_acl(struct inode *, int, struct posix_acl *);
|
||||||
|
|
||||||
#ifdef CONFIG_FS_POSIX_ACL
|
#ifdef CONFIG_FS_POSIX_ACL
|
||||||
|
extern int posix_acl_update_mode(struct inode *, umode_t *,
|
||||||
|
struct posix_acl **);
|
||||||
|
|
||||||
static inline struct posix_acl **acl_by_type(struct inode *inode, int type)
|
static inline struct posix_acl **acl_by_type(struct inode *inode, int type)
|
||||||
{
|
{
|
||||||
switch (type) {
|
switch (type) {
|
||||||
|
|
Loading…
Reference in New Issue