Skip to content

Commit

Permalink
ovl: do not require mounter to have MAY_WRITE on lower
Browse files Browse the repository at this point in the history 
Now we have two levels of checks in ovl_permission(). overlay inode
is checked with the creds of task while underlying inode is checked
with the creds of mounter.

Looks like mounter does not have to have WRITE access to files on lower/.
So remove the MAY_WRITE from access mask for checks on underlying
lower inode.

This means task should still have the MAY_WRITE permission on lower
inode and mounter is not required to have MAY_WRITE.

It also solves the problem of read only NFS mounts being used as lower.
If __inode_permission(lower_inode, MAY_WRITE) is called on read only
NFS, it fails. By resetting MAY_WRITE, check succeeds and case of
read only NFS shold work with overlay without having to specify any
special mount options (default permission).

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
  • Loading branch information
Vivek Goyal authored and Miklos Szeredi committed Jul 29, 2016
1 parent 1175b6b commit 754f8cb
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions fs/overlayfs/inode.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,8 @@ int ovl_permission(struct inode *inode, int mask)
return err;

old_cred = ovl_override_creds(inode->i_sb);
if (!is_upper)
mask &= ~(MAY_WRITE | MAY_APPEND);
err = __inode_permission(realinode, mask);
revert_creds(old_cred);

Expand Down

0 comments on commit 754f8cb

Please sign in to comment.