From 42e212f6b7d4f6dd70e9751562f1524231e39a0e Mon Sep 17 00:00:00 2001 From: Fabricio Voznika Date: Wed, 26 Jun 2019 14:23:35 -0700 Subject: Preserve permissions when checking lower The code was wrongly assuming that only read access was required from the lower overlay when checking for permissions. This allowed non-writable files to be writable in the overlay. Fixes #316 PiperOrigin-RevId: 255263686 --- pkg/sentry/fs/inode_overlay.go | 6 ------ 1 file changed, 6 deletions(-) (limited to 'pkg/sentry/fs') diff --git a/pkg/sentry/fs/inode_overlay.go b/pkg/sentry/fs/inode_overlay.go index 57b8b14e3..920d86042 100644 --- a/pkg/sentry/fs/inode_overlay.go +++ b/pkg/sentry/fs/inode_overlay.go @@ -537,12 +537,6 @@ func overlayCheck(ctx context.Context, o *overlayEntry, p PermMask) error { if o.upper != nil { err = o.upper.check(ctx, p) } else { - if p.Write { - // Since writes will be redirected to the upper filesystem, the lower - // filesystem need not be writable, but must be readable for copy-up. - p.Write = false - p.Read = true - } err = o.lower.check(ctx, p) } o.copyMu.RUnlock() -- cgit v1.2.3