Using old_creds as an indication that we are not overriding the credentials, bypass call to inode_owner_or_capable. This solves a problem with all execv calls being blocked when using the caller's credentials.
Signed-off-by: John Stultz <[email protected]> Signed-off-by: Mark Salyzyn <[email protected]> Fixes: 05acefb4872da ("ovl: check permission to open real file") To: [email protected] To: [email protected] Cc: Stephen Smalley <[email protected]> Cc: [email protected] Cc: [email protected] Cc: [email protected] v17 - rebase v16 - introduced fix over rebased series --- fs/overlayfs/file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c index b1357bb067d9..9ab9663b02d8 100644 --- a/fs/overlayfs/file.c +++ b/fs/overlayfs/file.c @@ -53,7 +53,7 @@ static struct file *ovl_open_realfile(const struct file *file, err = inode_permission(realinode, MAY_OPEN | acc_mode); if (err) { realfile = ERR_PTR(err); - } else if (!inode_owner_or_capable(realinode)) { + } else if (old_cred && !inode_owner_or_capable(realinode)) { realfile = ERR_PTR(-EPERM); } else { realfile = open_with_fake_path(&file->f_path, flags, realinode, -- 2.29.0.rc1.297.gfa9743e501-goog
