[Devel] [PATCH rh7] sysfs/ve: do not inherit ve permissions from parent

Fri Jul 3 06:53:35 PDT 2015

On Fri, Jul 03, 2015 at 03:48:03PM +0300, Vladimir Davydov wrote:
> Otherwise when a new ploop is created, all containers that have access
> to devices/virtual/block will gain access to the new ploop too, which is
> a security breach.
> 
> https://jira.sw.ru/browse/PSBM-34682

Acked-by: Andrew Vagin <avagin at odin.com>
> 
> Signed-off-by: Vladimir Davydov <vdavydov at parallels.com>
> ---
>  fs/sysfs/dir.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
> index e12273c93e6f..da732876eb4a 100644
> --- a/fs/sysfs/dir.c
> +++ b/fs/sysfs/dir.c
> @@ -483,8 +483,7 @@ int __sysfs_add_one(struct sysfs_addrm_cxt *acxt, struct sysfs_dirent *sd)
>  	sd->s_hash = sysfs_name_hash(sd->s_ns, sd->s_name);
>  	sd->s_parent = sysfs_get(acxt->parent_sd);
>  
> -	/* Copy permissions from parent */
> -	sd->s_ve_perms = kmapset_get(sd->s_parent->s_ve_perms);
> +	sd->s_ve_perms = kmapset_commit(kmapset_new(&ve_sysfs_perms));
>  
>  	ret = sysfs_link_sibling(sd);
>  	if (ret)
> -- 
> 2.1.4
>