* [PATCH] generic_permission: MAY_OPEN is not write access
@ 2009-12-29 20:50 Serge E. Hallyn
0 siblings, 0 replies; only message in thread
From: Serge E. Hallyn @ 2009-12-29 20:50 UTC (permalink / raw)
To: Linus Torvalds; +Cc: lkml, Mike Kazantsev, Al Viro
generic_permission was refusing CAP_DAC_READ_SEARCH-enabled
processes from opening DAC-protected files read-only, because
do_filp_open adds MAY_OPEN to the open mask.
Ignore MAY_OPEN. After this patch, CAP_DAC_READ_SEARCH is
again sufficient to open(fname, O_RDONLY) on a file to which
DAC otherwise refuses us read permission.
Reported-by: Mike Kazantsev <mk.fraggod@gmail.com>
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Tested-by: Mike Kazantsev <mk.fraggod@gmail.com>
---
fs/namei.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index 68921d9..b55440b 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -232,6 +232,7 @@ int generic_permission(struct inode *inode, int mask,
/*
* Searching includes executable on directories, else just read.
*/
+ mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE)))
if (capable(CAP_DAC_READ_SEARCH))
return 0;
--
1.6.0.4
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2009-12-29 20:50 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-12-29 20:50 [PATCH] generic_permission: MAY_OPEN is not write access Serge E. Hallyn
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.