Merge release-20210112.0-25-ge57ebcd37 (automated)

author: gVisor bot <gvisor-bot@google.com> 2021-01-15 15:47:01 +0000
committer: gVisor bot <gvisor-bot@google.com> 2021-01-15 15:47:01 +0000
commit: 578c5460b62f52063bef41203940a315deced6b3 (patch)
tree: 25ee54afd2fba0133c549110656d9efc631031c9 /pkg/sentry/fsimpl/kernfs
parent: 6cc587a931cb704006e5d843f725b4be2d1523c9 (diff)
parent: e57ebcd37a7b9f98d80e594f2c0baf2220d7b830 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/pkg/sentry/fsimpl/kernfs/filesystem.go b/pkg/sentry/fsimpl/kernfs/filesystem.go
index e77523f22..a7a553619 100644
--- a/pkg/sentry/fsimpl/kernfs/filesystem.go
+++ b/pkg/sentry/fsimpl/kernfs/filesystem.go
@@ -208,7 +208,9 @@ func (fs *Filesystem) walkParentDirLocked(ctx context.Context, rp *vfs.Resolving
 // * Filesystem.mu must be locked for at least reading.
 // * isDir(parentInode) == true.
 func checkCreateLocked(ctx context.Context, creds *auth.Credentials, name string, parent *Dentry) error {
-	if err := parent.inode.CheckPermissions(ctx, creds, vfs.MayWrite|vfs.MayExec); err != nil {
+	// Order of checks is important. First check if parent directory can be
+	// executed, then check for existence, and lastly check if mount is writable.
+	if err := parent.inode.CheckPermissions(ctx, creds, vfs.MayExec); err != nil {
 		return err
 	}
 	if name == "." || name == ".." {
@@ -223,6 +225,9 @@ func checkCreateLocked(ctx context.Context, creds *auth.Credentials, name string
 	if parent.VFSDentry().IsDead() {
 		return syserror.ENOENT
 	}
+	if err := parent.inode.CheckPermissions(ctx, creds, vfs.MayWrite); err != nil {
+		return err
+	}
 	return nil
 }
author	gVisor bot <gvisor-bot@google.com>	2021-01-15 15:47:01 +0000
committer	gVisor bot <gvisor-bot@google.com>	2021-01-15 15:47:01 +0000
commit	578c5460b62f52063bef41203940a315deced6b3 (patch)
tree	25ee54afd2fba0133c549110656d9efc631031c9 /pkg/sentry/fsimpl/kernfs
parent	6cc587a931cb704006e5d843f725b4be2d1523c9 (diff)
parent	e57ebcd37a7b9f98d80e594f2c0baf2220d7b830 (diff)