diff options
author | Dean Deng <deandeng@google.com> | 2020-06-27 14:38:20 -0700 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2020-06-27 14:39:41 -0700 |
commit | 02d552d07c4415978d2ce418fb16baf238d0ff78 (patch) | |
tree | 37c414e743978b9f86453d66fa926abeffce1093 /pkg/sentry/vfs | |
parent | 691c04278ee6cf579e2b2dafb28e39861ce21bb9 (diff) |
Support sticky bit in vfs2.
Updates #2923.
PiperOrigin-RevId: 318648128
Diffstat (limited to 'pkg/sentry/vfs')
-rw-r--r-- | pkg/sentry/vfs/permissions.go | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/pkg/sentry/vfs/permissions.go b/pkg/sentry/vfs/permissions.go index afe2be8d7..9cb050597 100644 --- a/pkg/sentry/vfs/permissions.go +++ b/pkg/sentry/vfs/permissions.go @@ -230,6 +230,20 @@ func CheckSetStat(ctx context.Context, creds *auth.Credentials, stat *linux.Stat return nil } +// CheckDeleteSticky checks whether the sticky bit is set on a directory with +// the given file mode, and if so, checks whether creds has permission to +// remove a file owned by childKUID from a directory with the given mode. +// CheckDeleteSticky is consistent with fs/linux.h:check_sticky(). +func CheckDeleteSticky(creds *auth.Credentials, parentMode linux.FileMode, childKUID auth.KUID) error { + if parentMode&linux.ModeSticky == 0 { + return nil + } + if CanActAsOwner(creds, childKUID) { + return nil + } + return syserror.EPERM +} + // CanActAsOwner returns true if creds can act as the owner of a file with the // given owning UID, consistent with Linux's // fs/inode.c:inode_owner_or_capable(). |