diff options
author | gVisor bot <gvisor-bot@google.com> | 2020-01-16 22:22:32 +0000 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2020-01-16 22:22:32 +0000 |
commit | e0a3efa0659fe95594951425f74dc1f8c923b228 (patch) | |
tree | 80ef9cd4a2bd19fa4c7b0c112e958f68f6f7d6d8 /pkg/sentry | |
parent | 3da22a0071b4f5f7d693c445176b6dcbfec32b61 (diff) | |
parent | 3dd3275da7b665cf2ca297e4bf566fcc77025af8 (diff) |
Merge release-20200115.0-12-g3dd3275 (automated)
Diffstat (limited to 'pkg/sentry')
-rwxr-xr-x | pkg/sentry/vfs/permissions.go | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/pkg/sentry/vfs/permissions.go b/pkg/sentry/vfs/permissions.go index f1edb0680..d279d05ca 100755 --- a/pkg/sentry/vfs/permissions.go +++ b/pkg/sentry/vfs/permissions.go @@ -30,6 +30,26 @@ const ( MayExec = 1 ) +// OnlyRead returns true if access _only_ allows read. +func (a AccessTypes) OnlyRead() bool { + return a == MayRead +} + +// MayRead returns true if access allows read. +func (a AccessTypes) MayRead() bool { + return a&MayRead != 0 +} + +// MayWrite returns true if access allows write. +func (a AccessTypes) MayWrite() bool { + return a&MayWrite != 0 +} + +// MayExec returns true if access allows exec. +func (a AccessTypes) MayExec() bool { + return a&MayExec != 0 +} + // GenericCheckPermissions checks that creds has the given access rights on a // file with the given permissions, UID, and GID, subject to the rules of // fs/namei.c:generic_permission(). isDir is true if the file is a directory. @@ -53,7 +73,7 @@ func GenericCheckPermissions(creds *auth.Credentials, ats AccessTypes, isDir boo } // CAP_DAC_READ_SEARCH allows the caller to read and search arbitrary // directories, and read arbitrary non-directory files. - if (isDir && (ats&MayWrite == 0)) || ats == MayRead { + if (isDir && !ats.MayWrite()) || ats.OnlyRead() { if creds.HasCapability(linux.CAP_DAC_READ_SEARCH) { return nil } @@ -61,7 +81,7 @@ func GenericCheckPermissions(creds *auth.Credentials, ats AccessTypes, isDir boo // CAP_DAC_OVERRIDE allows arbitrary access to directories, read/write // access to non-directory files, and execute access to non-directory files // for which at least one execute bit is set. - if isDir || (ats&MayExec == 0) || (mode&0111 != 0) { + if isDir || !ats.MayExec() || (mode&0111 != 0) { if creds.HasCapability(linux.CAP_DAC_OVERRIDE) { return nil } |