[Devel] [PATCH rh7] sysfs/ve: do not inherit ve permissions from parent
Vladimir Davydov
vdavydov at parallels.com
Fri Jul 3 05:48:03 PDT 2015
Otherwise when a new ploop is created, all containers that have access
to devices/virtual/block will gain access to the new ploop too, which is
a security breach.
https://jira.sw.ru/browse/PSBM-34682
Signed-off-by: Vladimir Davydov <vdavydov at parallels.com>
---
fs/sysfs/dir.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
index e12273c93e6f..da732876eb4a 100644
--- a/fs/sysfs/dir.c
+++ b/fs/sysfs/dir.c
@@ -483,8 +483,7 @@ int __sysfs_add_one(struct sysfs_addrm_cxt *acxt, struct sysfs_dirent *sd)
sd->s_hash = sysfs_name_hash(sd->s_ns, sd->s_name);
sd->s_parent = sysfs_get(acxt->parent_sd);
- /* Copy permissions from parent */
- sd->s_ve_perms = kmapset_get(sd->s_parent->s_ve_perms);
+ sd->s_ve_perms = kmapset_commit(kmapset_new(&ve_sysfs_perms));
ret = sysfs_link_sibling(sd);
if (ret)
--
2.1.4
More information about the Devel
mailing list