diff options
author | Rahat Mahmood <rahat@google.com> | 2021-03-11 17:54:53 -0800 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2021-03-11 17:59:13 -0800 |
commit | 192318a2316d84a3de9d28c29fbc73aae3e75206 (patch) | |
tree | 1d1d61fc5b34289e6c1744b6e32610a6938f872a /pkg/sentry/fsimpl/ext/ext.go | |
parent | a7197c9c688fdfc2d37005063d3f6dbf9cef2341 (diff) |
fusefs: Implement default_permissions and allow_other mount options.
By default, fusefs defers node permission checks to the server. The
default_permissions mount option enables the usual unix permission
checks based on the node owner and mode bits. Previously fusefs was
incorrectly checking permissions unconditionally.
Additionally, fusefs should restrict filesystem access to processes
started by the mount owner to prevent the fuse daemon from gaining
priviledge over other processes. The allow_other mount option
overrides this behaviour. Previously fusefs was incorrectly skipping
this check.
Updates #3229
PiperOrigin-RevId: 362419092
Diffstat (limited to 'pkg/sentry/fsimpl/ext/ext.go')
0 files changed, 0 insertions, 0 deletions