Merge release-20200622.1-38-g02d552d07 (automated)

author: gVisor bot <gvisor-bot@google.com> 2020-06-27 21:42:12 +0000
committer: gVisor bot <gvisor-bot@google.com> 2020-06-27 21:42:12 +0000
commit: 21e2d1fe0c8adad3082f16fb0dc4e44fbffbee25 (patch)
tree: 4f57e58ab6b715c5a2a016f5926eb4be3ac1c7d2 /pkg/sentry/vfs
parent: d5c75d19c009ef26b9463fd26e3e49e1aace9674 (diff)
parent: 02d552d07c4415978d2ce418fb16baf238d0ff78 (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/pkg/sentry/vfs/permissions.go b/pkg/sentry/vfs/permissions.go
index afe2be8d7..9cb050597 100644
--- a/pkg/sentry/vfs/permissions.go
+++ b/pkg/sentry/vfs/permissions.go
@@ -230,6 +230,20 @@ func CheckSetStat(ctx context.Context, creds *auth.Credentials, stat *linux.Stat
 	return nil
 }
 
+// CheckDeleteSticky checks whether the sticky bit is set on a directory with
+// the given file mode, and if so, checks whether creds has permission to
+// remove a file owned by childKUID from a directory with the given mode.
+// CheckDeleteSticky is consistent with fs/linux.h:check_sticky().
+func CheckDeleteSticky(creds *auth.Credentials, parentMode linux.FileMode, childKUID auth.KUID) error {
+	if parentMode&linux.ModeSticky == 0 {
+		return nil
+	}
+	if CanActAsOwner(creds, childKUID) {
+		return nil
+	}
+	return syserror.EPERM
+}
+
 // CanActAsOwner returns true if creds can act as the owner of a file with the
 // given owning UID, consistent with Linux's
 // fs/inode.c:inode_owner_or_capable().
author	gVisor bot <gvisor-bot@google.com>	2020-06-27 21:42:12 +0000
committer	gVisor bot <gvisor-bot@google.com>	2020-06-27 21:42:12 +0000
commit	21e2d1fe0c8adad3082f16fb0dc4e44fbffbee25 (patch)
tree	4f57e58ab6b715c5a2a016f5926eb4be3ac1c7d2 /pkg/sentry/vfs
parent	d5c75d19c009ef26b9463fd26e3e49e1aace9674 (diff)
parent	02d552d07c4415978d2ce418fb16baf238d0ff78 (diff)