[Devel] [PATCH RHEL7 COMMIT] ve/sysfs: do not inherit ve permissions from parent
Konstantin Khorenko
khorenko at virtuozzo.com
Mon Jul 6 06:50:03 PDT 2015
The commit is pushed to "branch-rh7-3.10.0-123.1.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-123.1.2.vz7.5.24
------>
commit f134351a30bb0bd2641cb9a2bbc3ef1ec120d674
Author: Vladimir Davydov <vdavydov at parallels.com>
Date: Mon Jul 6 17:50:03 2015 +0400
ve/sysfs: do not inherit ve permissions from parent
Otherwise when a new ploop is created, all containers that have access
to devices/virtual/block will gain access to the new ploop too, which is
a security breach.
https://jira.sw.ru/browse/PSBM-34682
Signed-off-by: Vladimir Davydov <vdavydov at parallels.com>
Acked-by: Andrew Vagin <avagin at odin.com>
---
fs/sysfs/dir.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
index e12273c..da73287 100644
--- a/fs/sysfs/dir.c
+++ b/fs/sysfs/dir.c
@@ -483,8 +483,7 @@ int __sysfs_add_one(struct sysfs_addrm_cxt *acxt, struct sysfs_dirent *sd)
sd->s_hash = sysfs_name_hash(sd->s_ns, sd->s_name);
sd->s_parent = sysfs_get(acxt->parent_sd);
- /* Copy permissions from parent */
- sd->s_ve_perms = kmapset_get(sd->s_parent->s_ve_perms);
+ sd->s_ve_perms = kmapset_commit(kmapset_new(&ve_sysfs_perms));
ret = sysfs_link_sibling(sd);
if (ret)
More information about the Devel
mailing list