summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/limits/linux.go
diff options
context:
space:
mode:
authorRahat Mahmood <rahat@google.com>2021-03-11 17:54:53 -0800
committergVisor bot <gvisor-bot@google.com>2021-03-11 17:59:13 -0800
commit192318a2316d84a3de9d28c29fbc73aae3e75206 (patch)
tree1d1d61fc5b34289e6c1744b6e32610a6938f872a /pkg/sentry/limits/linux.go
parenta7197c9c688fdfc2d37005063d3f6dbf9cef2341 (diff)
fusefs: Implement default_permissions and allow_other mount options.
By default, fusefs defers node permission checks to the server. The default_permissions mount option enables the usual unix permission checks based on the node owner and mode bits. Previously fusefs was incorrectly checking permissions unconditionally. Additionally, fusefs should restrict filesystem access to processes started by the mount owner to prevent the fuse daemon from gaining priviledge over other processes. The allow_other mount option overrides this behaviour. Previously fusefs was incorrectly skipping this check. Updates #3229 PiperOrigin-RevId: 362419092
Diffstat (limited to 'pkg/sentry/limits/linux.go')
0 files changed, 0 insertions, 0 deletions