Merge release-20210112.0-25-ge57ebcd37 (automated)

author: gVisor bot <gvisor-bot@google.com> 2021-01-15 15:47:01 +0000
committer: gVisor bot <gvisor-bot@google.com> 2021-01-15 15:47:01 +0000
commit: 578c5460b62f52063bef41203940a315deced6b3 (patch)
tree: 25ee54afd2fba0133c549110656d9efc631031c9 /pkg/sentry/fsimpl/tmpfs
parent: 6cc587a931cb704006e5d843f725b4be2d1523c9 (diff)
parent: e57ebcd37a7b9f98d80e594f2c0baf2220d7b830 (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/pkg/sentry/fsimpl/tmpfs/filesystem.go b/pkg/sentry/fsimpl/tmpfs/filesystem.go
index 9296db2fb..453e41d11 100644
--- a/pkg/sentry/fsimpl/tmpfs/filesystem.go
+++ b/pkg/sentry/fsimpl/tmpfs/filesystem.go
@@ -153,7 +153,10 @@ func (fs *filesystem) doCreateAt(ctx context.Context, rp *vfs.ResolvingPath, dir
 	if err != nil {
 		return err
 	}
-	if err := parentDir.inode.checkPermissions(rp.Credentials(), vfs.MayWrite|vfs.MayExec); err != nil {
+
+	// Order of checks is important. First check if parent directory can be
+	// executed, then check for existence, and lastly check if mount is writable.
+	if err := parentDir.inode.checkPermissions(rp.Credentials(), vfs.MayExec); err != nil {
 		return err
 	}
 	name := rp.Component()
@@ -179,6 +182,10 @@ func (fs *filesystem) doCreateAt(ctx context.Context, rp *vfs.ResolvingPath, dir
 		return err
 	}
 	defer mnt.EndWrite()
+
+	if err := parentDir.inode.checkPermissions(rp.Credentials(), vfs.MayWrite); err != nil {
+		return err
+	}
 	if err := create(parentDir, name); err != nil {
 		return err
 	}
author	gVisor bot <gvisor-bot@google.com>	2021-01-15 15:47:01 +0000
committer	gVisor bot <gvisor-bot@google.com>	2021-01-15 15:47:01 +0000
commit	578c5460b62f52063bef41203940a315deced6b3 (patch)
tree	25ee54afd2fba0133c549110656d9efc631031c9 /pkg/sentry/fsimpl/tmpfs
parent	6cc587a931cb704006e5d843f725b4be2d1523c9 (diff)
parent	e57ebcd37a7b9f98d80e594f2c0baf2220d7b830 (diff)