Preserve permissions when checking lower

The code was wrongly assuming that only read access was required from the lower overlay when checking for permissions. This allowed non-writable files to be writable in the overlay. Fixes #316 PiperOrigin-RevId: 255263686
author: Fabricio Voznika <fvoznika@google.com> 2019-06-26 14:23:35 -0700
committer: gVisor bot <gvisor-bot@google.com> 2019-06-26 14:24:44 -0700
commit: 42e212f6b7d4f6dd70e9751562f1524231e39a0e (patch)
tree: ead76a098737fe0bf48b52c9091f1edc88009f67 /pkg/sentry/fs/inode_overlay.go
parent: 857e5c47e914aeeec12662d85466d91bf4ce3504 (diff)
1 files changed, 0 insertions, 6 deletions
diff --git a/pkg/sentry/fs/inode_overlay.go b/pkg/sentry/fs/inode_overlay.go
index 57b8b14e3..920d86042 100644
--- a/pkg/sentry/fs/inode_overlay.go
+++ b/pkg/sentry/fs/inode_overlay.go
@@ -537,12 +537,6 @@ func overlayCheck(ctx context.Context, o *overlayEntry, p PermMask) error {
 	if o.upper != nil {
 		err = o.upper.check(ctx, p)
 	} else {
-		if p.Write {
-			// Since writes will be redirected to the upper filesystem, the lower
-			// filesystem need not be writable, but must be readable for copy-up.
-			p.Write = false
-			p.Read = true
-		}
 		err = o.lower.check(ctx, p)
 	}
 	o.copyMu.RUnlock()
author	Fabricio Voznika <fvoznika@google.com>	2019-06-26 14:23:35 -0700
committer	gVisor bot <gvisor-bot@google.com>	2019-06-26 14:24:44 -0700
commit	42e212f6b7d4f6dd70e9751562f1524231e39a0e (patch)
tree	ead76a098737fe0bf48b52c9091f1edc88009f67 /pkg/sentry/fs/inode_overlay.go
parent	857e5c47e914aeeec12662d85466d91bf4ce3504 (diff)