summaryrefslogtreecommitdiff
path: root/fs/attr.c
diff options
context:
space:
mode:
authorSeth Forshee <seth.forshee@canonical.com>2016-04-26 14:36:25 -0500
committerEric W. Biederman <ebiederm@xmission.com>2016-06-27 21:58:25 -0500
commita475acf01f79e89a1a5845733e10108d80f77188 (patch)
tree69c43e9a9ae185e8c7f0469c1c3695acd0712104 /fs/attr.c
parentaad82892af261b9903cc11c55be3ecf5f0b0b4f8 (diff)
fs: Refuse uid/gid changes which don't map into s_user_ns
Add checks to notify_change to verify that uid and gid changes will map into the superblock's user namespace. If they do not fail with -EOVERFLOW. This is mandatory so that fileystems don't have to even think of dealing with ia_uid and ia_gid that --EWB Moved the test from inode_change_ok to notify_change Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'fs/attr.c')
-rw-r--r--fs/attr.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/fs/attr.c b/fs/attr.c
index 25b24d0f6c88..dd723578ddce 100644
--- a/fs/attr.c
+++ b/fs/attr.c
@@ -255,6 +255,17 @@ int notify_change(struct dentry * dentry, struct iattr * attr, struct inode **de
if (!(attr->ia_valid & ~(ATTR_KILL_SUID | ATTR_KILL_SGID)))
return 0;
+ /*
+ * Verify that uid/gid changes are valid in the target
+ * namespace of the superblock.
+ */
+ if (ia_valid & ATTR_UID &&
+ !kuid_has_mapping(inode->i_sb->s_user_ns, attr->ia_uid))
+ return -EOVERFLOW;
+ if (ia_valid & ATTR_GID &&
+ !kgid_has_mapping(inode->i_sb->s_user_ns, attr->ia_gid))
+ return -EOVERFLOW;
+
error = security_inode_setattr(dentry, attr);
if (error)
return error;