diff options
| author | Christian Brauner <brauner@kernel.org> | 2024-11-29 14:38:03 +0100 |
|---|---|---|
| committer | Christian Brauner <brauner@kernel.org> | 2024-12-14 12:40:41 +0100 |
| commit | 6ebb05b48e9c555f23a042dcbb45280a0f26def8 (patch) | |
| tree | 0422cb08cc5dc52031c410bb37580c6b0f7fa1c1 /fs/fhandle.c | |
| parent | 50166d57ea8c5042ecba0ee22532617d72ed085a (diff) | |
fhandle: pull CAP_DAC_READ_SEARCH check into may_decode_fh()
There's no point in keeping it outside of that helper. This way we have
all the permission pieces in one place.
Link: https://lore.kernel.org/r/20241129-work-pidfs-file_handle-v1-4-87d803a42495@kernel.org
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Diffstat (limited to 'fs/fhandle.c')
| -rw-r--r-- | fs/fhandle.c | 38 |
1 files changed, 21 insertions, 17 deletions
diff --git a/fs/fhandle.c b/fs/fhandle.c index f0b818f08aaa..e17029b1dc44 100644 --- a/fs/fhandle.c +++ b/fs/fhandle.c @@ -279,28 +279,32 @@ static int do_handle_to_path(struct file_handle *handle, struct path *path, return 0; } -/* - * Allow relaxed permissions of file handles if the caller has the - * ability to mount the filesystem or create a bind-mount of the - * provided @mountdirfd. - * - * In both cases the caller may be able to get an unobstructed way to - * the encoded file handle. If the caller is only able to create a - * bind-mount we need to verify that there are no locked mounts on top - * of it that could prevent us from getting to the encoded file. - * - * In principle, locked mounts can prevent the caller from mounting the - * filesystem but that only applies to procfs and sysfs neither of which - * support decoding file handles. - */ static inline bool may_decode_fh(struct handle_to_path_ctx *ctx, unsigned int o_flags) { struct path *root = &ctx->root; + if (capable(CAP_DAC_READ_SEARCH)) + return true; + /* - * Restrict to O_DIRECTORY to provide a deterministic API that avoids a - * confusing api in the face of disconnected non-dir dentries. + * Allow relaxed permissions of file handles if the caller has + * the ability to mount the filesystem or create a bind-mount of + * the provided @mountdirfd. + * + * In both cases the caller may be able to get an unobstructed + * way to the encoded file handle. If the caller is only able to + * create a bind-mount we need to verify that there are no + * locked mounts on top of it that could prevent us from getting + * to the encoded file. + * + * In principle, locked mounts can prevent the caller from + * mounting the filesystem but that only applies to procfs and + * sysfs neither of which support decoding file handles. + * + * Restrict to O_DIRECTORY to provide a deterministic API that + * avoids a confusing api in the face of disconnected non-dir + * dentries. * * There's only one dentry for each directory inode (VFS rule)... */ @@ -337,7 +341,7 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh, if (retval) goto out_err; - if (!capable(CAP_DAC_READ_SEARCH) && !may_decode_fh(&ctx, o_flags)) { + if (!may_decode_fh(&ctx, o_flags)) { retval = -EPERM; goto out_path; } |