[Devel] [PATCH RHEL7 COMMIT] ve/sysfs: do not inherit ve permissions from parent

Konstantin Khorenko khorenko at virtuozzo.com
Mon Jul 6 06:50:03 PDT 2015


The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.24
------>
commit f134351a30bb0bd2641cb9a2bbc3ef1ec120d674
Author: Vladimir Davydov <vdavydov at parallels.com>
Date:   Mon Jul 6 17:50:03 2015 +0400

    ve/sysfs: do not inherit ve permissions from parent
    
    Otherwise when a new ploop is created, all containers that have access
    to devices/virtual/block will gain access to the new ploop too, which is
    a security breach.
    
    https://jira.sw.ru/browse/PSBM-34682
    
    Signed-off-by: Vladimir Davydov <vdavydov at parallels.com>
    Acked-by: Andrew Vagin <avagin at odin.com>
---
 fs/sysfs/dir.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
index e12273c..da73287 100644
--- a/fs/sysfs/dir.c
+++ b/fs/sysfs/dir.c
@@ -483,8 +483,7 @@ int __sysfs_add_one(struct sysfs_addrm_cxt *acxt, struct sysfs_dirent *sd)
 	sd->s_hash = sysfs_name_hash(sd->s_ns, sd->s_name);
 	sd->s_parent = sysfs_get(acxt->parent_sd);
 
-	/* Copy permissions from parent */
-	sd->s_ve_perms = kmapset_get(sd->s_parent->s_ve_perms);
+	sd->s_ve_perms = kmapset_commit(kmapset_new(&ve_sysfs_perms));
 
 	ret = sysfs_link_sibling(sd);
 	if (ret)



More information about the Devel mailing list