From 42e212f6b7d4f6dd70e9751562f1524231e39a0e Mon Sep 17 00:00:00 2001 From: Fabricio Voznika Date: Wed, 26 Jun 2019 14:23:35 -0700 Subject: Preserve permissions when checking lower The code was wrongly assuming that only read access was required from the lower overlay when checking for permissions. This allowed non-writable files to be writable in the overlay. Fixes #316 PiperOrigin-RevId: 255263686 --- runsc/boot/fs.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'runsc/boot') diff --git a/runsc/boot/fs.go b/runsc/boot/fs.go index 67a286212..5c2220d83 100644 --- a/runsc/boot/fs.go +++ b/runsc/boot/fs.go @@ -85,6 +85,19 @@ func addOverlay(ctx context.Context, conf *Config, lower *fs.Inode, name string, if err != nil { return nil, fmt.Errorf("creating tmpfs overlay: %v", err) } + + // Replicate permissions and owner from lower to upper mount point. + attr, err := lower.UnstableAttr(ctx) + if err != nil { + return nil, fmt.Errorf("reading attributes from lower mount point: %v", err) + } + if !upper.InodeOperations.SetPermissions(ctx, upper, attr.Perms) { + return nil, fmt.Errorf("error setting permission to upper mount point") + } + if err := upper.InodeOperations.SetOwner(ctx, upper, attr.Owner); err != nil { + return nil, fmt.Errorf("setting owner to upper mount point: %v", err) + } + return fs.NewOverlayRoot(ctx, upper, lower, upperFlags) } -- cgit v1.2.3