diff options
author | Dean Deng <deandeng@google.com> | 2020-06-18 22:00:56 -0700 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2020-06-18 22:02:07 -0700 |
commit | 408f3d2cd64cae6b2f76a940c76236e9841c095f (patch) | |
tree | 8307bea8b81bd29925aedade970b12e9707bcf12 /pkg/sentry/vfs/permissions.go | |
parent | 70c45e09cfd15abeebd640a9a2ddd214078db651 (diff) |
Fix vfs2 tmpfs link permission checks.
Updates #2923.
PiperOrigin-RevId: 317246916
Diffstat (limited to 'pkg/sentry/vfs/permissions.go')
-rw-r--r-- | pkg/sentry/vfs/permissions.go | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/pkg/sentry/vfs/permissions.go b/pkg/sentry/vfs/permissions.go index f9647f90e..afe2be8d7 100644 --- a/pkg/sentry/vfs/permissions.go +++ b/pkg/sentry/vfs/permissions.go @@ -94,6 +94,37 @@ func GenericCheckPermissions(creds *auth.Credentials, ats AccessTypes, mode linu return syserror.EACCES } +// MayLink determines whether creating a hard link to a file with the given +// mode, kuid, and kgid is permitted. +// +// This corresponds to Linux's fs/namei.c:may_linkat. +func MayLink(creds *auth.Credentials, mode linux.FileMode, kuid auth.KUID, kgid auth.KGID) error { + // Source inode owner can hardlink all they like; otherwise, it must be a + // safe source. + if CanActAsOwner(creds, kuid) { + return nil + } + + // Only regular files can be hard linked. + if mode.FileType() != linux.S_IFREG { + return syserror.EPERM + } + + // Setuid files should not get pinned to the filesystem. + if mode&linux.S_ISUID != 0 { + return syserror.EPERM + } + + // Executable setgid files should not get pinned to the filesystem, but we + // don't support S_IXGRP anyway. + + // Hardlinking to unreadable or unwritable sources is dangerous. + if err := GenericCheckPermissions(creds, MayRead|MayWrite, mode, kuid, kgid); err != nil { + return syserror.EPERM + } + return nil +} + // AccessTypesForOpenFlags returns the access types required to open a file // with the given OpenOptions.Flags. Note that this is NOT the same thing as // the set of accesses permitted for the opened file: |