| From 43ccbb36a2d56f32c4ec24e029630258f8a12a5f Mon Sep 17 00:00:00 2001 |
| From: Mark Salyzyn <salyzyn@android.com> |
| Date: Thu, 14 Jun 2018 11:15:22 -0700 |
| Subject: [PATCH] FROMLIST: overlayfs: override_creds=off option bypass |
| creator_cred |
| |
| By default, all access to the upper, lower and work directories is the |
| recorded mounter's MAC and DAC credentials. The incoming accesses are |
| checked against the caller's credentials. |
| |
| If the principles of least privilege are applied, the mounter's |
| credentials might not overlap the credentials of the caller's when |
| accessing the overlayfs filesystem. For example, a file that a lower |
| DAC privileged caller can execute, is MAC denied to the generally |
| higher DAC privileged mounter, to prevent an attack vector. |
| |
| We add the option to turn off override_creds in the mount options; all |
| subsequent operations after mount on the filesystem will be only the |
| caller's credentials. The module boolean parameter and mount option |
| override_creds is also added as a presence check for this "feature", |
| existence of /sys/module/overlay/parameters/override_creds. |
| |
| It was not always this way. Circa 4.6 there was no recorded mounter's |
| credentials, instead privileged access to upper or work directories |
| were temporarily increased to perform the operations. The MAC |
| (selinux) policies were caller's in all cases. override_creds=off |
| partially returns us to this older access model minus the insecure |
| temporary credential increases. This is to permit use in a system |
| with non-overlapping security models for each executable including |
| the agent that mounts the overlayfs filesystem. In Android |
| this is the case since init, which performs the mount operations, |
| has a minimal MAC set of privileges to reduce any attack surface, |
| and services that use the content have a different set of MAC |
| privileges (eg: read, for vendor labelled configuration, execute for |
| vendor libraries and modules). The caveats are not a problem in |
| the Android usage model, however they should be fixed for |
| completeness and for general use in time. |
| |
| Signed-off-by: Mark Salyzyn <salyzyn@android.com> |
| Cc: Miklos Szeredi <miklos@szeredi.hu> |
| Cc: Jonathan Corbet <corbet@lwn.net> |
| Cc: Vivek Goyal <vgoyal@redhat.com> |
| Cc: Eric W. Biederman <ebiederm@xmission.com> |
| Cc: Amir Goldstein <amir73il@gmail.com> |
| Cc: Randy Dunlap <rdunlap@infradead.org> |
| Cc: Stephen Smalley <sds@tycho.nsa.gov> |
| Cc: linux-unionfs@vger.kernel.org |
| Cc: linux-doc@vger.kernel.org |
| Cc: linux-kernel@vger.kernel.org |
| Cc: kernel-team@android.com |
| |
| (cherry picked from https://lore.kernel.org/lkml/20191104215253.141818-5-salyzyn@android.com/) |
| Signed-off-by: Mark Salyzyn <salyzyn@google.com> |
| Bug: 133515582 |
| Bug: 136124883 |
| Bug: 129319403 |
| Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
| [fixed up for 5.6-rc1 changes] |
| Change-Id: I7980d18e2a5aa97dd2d9fb291fea6deb649f6a34 |
| --- |
| Documentation/filesystems/overlayfs.rst | 23 +++++++++++++++++++++++ |
| fs/overlayfs/copy_up.c | 2 +- |
| fs/overlayfs/dir.c | 17 ++++++++++------- |
| fs/overlayfs/file.c | 21 +++++++++++---------- |
| fs/overlayfs/inode.c | 20 ++++++++++---------- |
| fs/overlayfs/namei.c | 6 +++--- |
| fs/overlayfs/overlayfs.h | 1 + |
| fs/overlayfs/ovl_entry.h | 1 + |
| fs/overlayfs/readdir.c | 4 ++-- |
| fs/overlayfs/super.c | 22 +++++++++++++++++++++- |
| fs/overlayfs/util.c | 12 ++++++++++-- |
| 11 files changed, 93 insertions(+), 36 deletions(-) |
| |
| diff --git a/Documentation/filesystems/overlayfs.rst b/Documentation/filesystems/overlayfs.rst |
| --- a/Documentation/filesystems/overlayfs.rst |
| +++ b/Documentation/filesystems/overlayfs.rst |
| @@ -137,6 +137,29 @@ Only the lists of names from directories are merged. Other content |
| such as metadata and extended attributes are reported for the upper |
| directory only. These attributes of the lower directory are hidden. |
| |
| +credentials |
| +----------- |
| + |
| +By default, all access to the upper, lower and work directories is the |
| +recorded mounter's MAC and DAC credentials. The incoming accesses are |
| +checked against the caller's credentials. |
| + |
| +In the case where caller MAC or DAC credentials do not overlap, a |
| +use case available in older versions of the driver, the |
| +override_creds mount flag can be turned off and help when the use |
| +pattern has caller with legitimate credentials where the mounter |
| +does not. Several unintended side effects will occur though. The |
| +caller without certain key capabilities or lower privilege will not |
| +always be able to delete files or directories, create nodes, or |
| +search some restricted directories. The ability to search and read |
| +a directory entry is spotty as a result of the cache mechanism not |
| +retesting the credentials because of the assumption, a privileged |
| +caller can fill cache, then a lower privilege can read the directory |
| +cache. The uneven security model where cache, upperdir and workdir |
| +are opened at privilege, but accessed without creating a form of |
| +privilege escalation, should only be used with strict understanding |
| +of the side effects and of the security policies. |
| + |
| whiteouts and opaque directories |
| -------------------------------- |
| |
| diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c |
| --- a/fs/overlayfs/copy_up.c |
| +++ b/fs/overlayfs/copy_up.c |
| @@ -1019,7 +1019,7 @@ static int ovl_copy_up_flags(struct dentry *dentry, int flags) |
| dput(parent); |
| dput(next); |
| } |
| - revert_creds(old_cred); |
| + ovl_revert_creds(dentry->d_sb, old_cred); |
| |
| return err; |
| } |
| diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c |
| --- a/fs/overlayfs/dir.c |
| +++ b/fs/overlayfs/dir.c |
| @@ -570,7 +570,7 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode, |
| struct ovl_cattr *attr, bool origin) |
| { |
| int err; |
| - const struct cred *old_cred; |
| + const struct cred *old_cred, *hold_cred = NULL; |
| struct cred *override_cred; |
| struct dentry *parent = dentry->d_parent; |
| |
| @@ -597,14 +597,15 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode, |
| override_cred->fsgid = inode->i_gid; |
| if (!attr->hardlink) { |
| err = security_dentry_create_files_as(dentry, |
| - attr->mode, &dentry->d_name, old_cred, |
| + attr->mode, &dentry->d_name, |
| + old_cred ? old_cred : current_cred(), |
| override_cred); |
| if (err) { |
| put_cred(override_cred); |
| goto out_revert_creds; |
| } |
| } |
| - put_cred(override_creds(override_cred)); |
| + hold_cred = override_creds(override_cred); |
| put_cred(override_cred); |
| |
| if (!ovl_dentry_is_whiteout(dentry)) |
| @@ -613,7 +614,9 @@ static int ovl_create_or_link(struct dentry *dentry, struct inode *inode, |
| err = ovl_create_over_whiteout(dentry, inode, attr); |
| } |
| out_revert_creds: |
| - revert_creds(old_cred); |
| + ovl_revert_creds(dentry->d_sb, old_cred ?: hold_cred); |
| + if (old_cred && hold_cred) |
| + put_cred(hold_cred); |
| return err; |
| } |
| |
| @@ -690,7 +693,7 @@ static int ovl_set_link_redirect(struct dentry *dentry) |
| |
| old_cred = ovl_override_creds(dentry->d_sb); |
| err = ovl_set_redirect(dentry, false); |
| - revert_creds(old_cred); |
| + ovl_revert_creds(dentry->d_sb, old_cred); |
| |
| return err; |
| } |
| @@ -909,7 +912,7 @@ static int ovl_do_remove(struct dentry *dentry, bool is_dir) |
| err = ovl_remove_upper(dentry, is_dir, &list); |
| else |
| err = ovl_remove_and_whiteout(dentry, &list); |
| - revert_creds(old_cred); |
| + ovl_revert_creds(dentry->d_sb, old_cred); |
| if (!err) { |
| if (is_dir) |
| clear_nlink(dentry->d_inode); |
| @@ -1284,7 +1287,7 @@ static int ovl_rename(struct user_namespace *mnt_userns, struct inode *olddir, |
| out_unlock: |
| unlock_rename(new_upperdir, old_upperdir); |
| out_revert_creds: |
| - revert_creds(old_cred); |
| + ovl_revert_creds(old->d_sb, old_cred); |
| if (update_nlink) |
| ovl_nlink_end(new); |
| out_drop_write: |
| diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c |
| --- a/fs/overlayfs/file.c |
| +++ b/fs/overlayfs/file.c |
| @@ -60,7 +60,7 @@ static struct file *ovl_open_realfile(const struct file *file, |
| realfile = open_with_fake_path(&file->f_path, flags, realinode, |
| current_cred()); |
| } |
| - revert_creds(old_cred); |
| + ovl_revert_creds(inode->i_sb, old_cred); |
| |
| pr_debug("open(%p[%pD2/%c], 0%o) -> (%p, 0%o)\n", |
| file, file, ovl_whatisit(inode, realinode), file->f_flags, |
| @@ -204,7 +204,7 @@ static loff_t ovl_llseek(struct file *file, loff_t offset, int whence) |
| |
| old_cred = ovl_override_creds(inode->i_sb); |
| ret = vfs_llseek(real.file, offset, whence); |
| - revert_creds(old_cred); |
| + ovl_revert_creds(inode->i_sb, old_cred); |
| |
| file->f_pos = real.file->f_pos; |
| ovl_inode_unlock(inode); |
| @@ -324,7 +324,8 @@ static ssize_t ovl_read_iter(struct kiocb *iocb, struct iov_iter *iter) |
| ovl_aio_cleanup_handler(aio_req); |
| } |
| out: |
| - revert_creds(old_cred); |
| + ovl_revert_creds(file_inode(file)->i_sb, old_cred); |
| + |
| ovl_file_accessed(file); |
| out_fdput: |
| fdput(real); |
| @@ -395,7 +396,7 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter) |
| ovl_aio_cleanup_handler(aio_req); |
| } |
| out: |
| - revert_creds(old_cred); |
| + ovl_revert_creds(file_inode(file)->i_sb, old_cred); |
| out_fdput: |
| fdput(real); |
| |
| @@ -441,7 +442,7 @@ static ssize_t ovl_splice_write(struct pipe_inode_info *pipe, struct file *out, |
| file_end_write(real.file); |
| /* Update size */ |
| ovl_copyattr(realinode, inode); |
| - revert_creds(old_cred); |
| + ovl_revert_creds(inode->i_sb, old_cred); |
| fdput(real); |
| |
| out_unlock: |
| @@ -468,7 +469,7 @@ static int ovl_fsync(struct file *file, loff_t start, loff_t end, int datasync) |
| if (file_inode(real.file) == ovl_inode_upper(file_inode(file))) { |
| old_cred = ovl_override_creds(file_inode(file)->i_sb); |
| ret = vfs_fsync_range(real.file, start, end, datasync); |
| - revert_creds(old_cred); |
| + ovl_revert_creds(file_inode(file)->i_sb, old_cred); |
| } |
| |
| fdput(real); |
| @@ -492,7 +493,7 @@ static int ovl_mmap(struct file *file, struct vm_area_struct *vma) |
| |
| old_cred = ovl_override_creds(file_inode(file)->i_sb); |
| ret = call_mmap(vma->vm_file, vma); |
| - revert_creds(old_cred); |
| + ovl_revert_creds(file_inode(file)->i_sb, old_cred); |
| ovl_file_accessed(file); |
| |
| return ret; |
| @@ -511,7 +512,7 @@ static long ovl_fallocate(struct file *file, int mode, loff_t offset, loff_t len |
| |
| old_cred = ovl_override_creds(file_inode(file)->i_sb); |
| ret = vfs_fallocate(real.file, mode, offset, len); |
| - revert_creds(old_cred); |
| + ovl_revert_creds(file_inode(file)->i_sb, old_cred); |
| |
| /* Update size */ |
| ovl_copyattr(ovl_inode_real(inode), inode); |
| @@ -533,7 +534,7 @@ static int ovl_fadvise(struct file *file, loff_t offset, loff_t len, int advice) |
| |
| old_cred = ovl_override_creds(file_inode(file)->i_sb); |
| ret = vfs_fadvise(real.file, offset, len, advice); |
| - revert_creds(old_cred); |
| + ovl_revert_creds(file_inode(file)->i_sb, old_cred); |
| |
| fdput(real); |
| |
| @@ -583,7 +584,7 @@ static loff_t ovl_copyfile(struct file *file_in, loff_t pos_in, |
| flags); |
| break; |
| } |
| - revert_creds(old_cred); |
| + ovl_revert_creds(file_inode(file_out)->i_sb, old_cred); |
| |
| /* Update size */ |
| ovl_copyattr(ovl_inode_real(inode_out), inode_out); |
| diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c |
| --- a/fs/overlayfs/inode.c |
| +++ b/fs/overlayfs/inode.c |
| @@ -78,7 +78,7 @@ int ovl_setattr(struct user_namespace *mnt_userns, struct dentry *dentry, |
| inode_lock(upperdentry->d_inode); |
| old_cred = ovl_override_creds(dentry->d_sb); |
| err = notify_change(&init_user_ns, upperdentry, attr, NULL); |
| - revert_creds(old_cred); |
| + ovl_revert_creds(dentry->d_sb, old_cred); |
| if (!err) |
| ovl_copyattr(upperdentry->d_inode, dentry->d_inode); |
| inode_unlock(upperdentry->d_inode); |
| @@ -270,7 +270,7 @@ int ovl_getattr(struct user_namespace *mnt_userns, const struct path *path, |
| stat->nlink = dentry->d_inode->i_nlink; |
| |
| out: |
| - revert_creds(old_cred); |
| + ovl_revert_creds(dentry->d_sb, old_cred); |
| |
| return err; |
| } |
| @@ -305,7 +305,7 @@ int ovl_permission(struct user_namespace *mnt_userns, |
| mask |= MAY_READ; |
| } |
| err = inode_permission(&init_user_ns, realinode, mask); |
| - revert_creds(old_cred); |
| + ovl_revert_creds(inode->i_sb, old_cred); |
| |
| return err; |
| } |
| @@ -322,7 +322,7 @@ static const char *ovl_get_link(struct dentry *dentry, |
| |
| old_cred = ovl_override_creds(dentry->d_sb); |
| p = vfs_get_link(ovl_dentry_real(dentry), done); |
| - revert_creds(old_cred); |
| + ovl_revert_creds(dentry->d_sb, old_cred); |
| return p; |
| } |
| |
| @@ -353,7 +353,7 @@ int ovl_xattr_set(struct dentry *dentry, struct inode *inode, const char *name, |
| if (!value && !upperdentry) { |
| old_cred = ovl_override_creds(dentry->d_sb); |
| err = vfs_getxattr(&init_user_ns, realdentry, name, NULL, 0); |
| - revert_creds(old_cred); |
| + ovl_revert_creds(dentry->d_sb, old_cred); |
| if (err < 0) |
| goto out_drop_write; |
| } |
| @@ -374,7 +374,7 @@ int ovl_xattr_set(struct dentry *dentry, struct inode *inode, const char *name, |
| WARN_ON(flags != XATTR_REPLACE); |
| err = vfs_removexattr(&init_user_ns, realdentry, name); |
| } |
| - revert_creds(old_cred); |
| + ovl_revert_creds(dentry->d_sb, old_cred); |
| |
| /* copy c/mtime */ |
| ovl_copyattr(d_inode(realdentry), inode); |
| @@ -396,7 +396,7 @@ int ovl_xattr_get(struct dentry *dentry, struct inode *inode, const char *name, |
| old_cred = ovl_override_creds(dentry->d_sb); |
| res = __vfs_getxattr(realdentry, d_inode(realdentry), name, |
| value, size, flags); |
| - revert_creds(old_cred); |
| + ovl_revert_creds(dentry->d_sb, old_cred); |
| return res; |
| } |
| |
| @@ -424,7 +424,7 @@ ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size) |
| |
| old_cred = ovl_override_creds(dentry->d_sb); |
| res = vfs_listxattr(realdentry, list, size); |
| - revert_creds(old_cred); |
| + ovl_revert_creds(dentry->d_sb, old_cred); |
| if (res <= 0 || size == 0) |
| return res; |
| |
| @@ -462,7 +462,7 @@ struct posix_acl *ovl_get_acl(struct inode *inode, int type, bool rcu) |
| |
| old_cred = ovl_override_creds(inode->i_sb); |
| acl = get_acl(realinode, type); |
| - revert_creds(old_cred); |
| + ovl_revert_creds(inode->i_sb, old_cred); |
| |
| return acl; |
| } |
| @@ -496,7 +496,7 @@ static int ovl_fiemap(struct inode *inode, struct fiemap_extent_info *fieinfo, |
| |
| old_cred = ovl_override_creds(inode->i_sb); |
| err = realinode->i_op->fiemap(realinode, fieinfo, start, len); |
| - revert_creds(old_cred); |
| + ovl_revert_creds(inode->i_sb, old_cred); |
| |
| return err; |
| } |
| diff --git a/fs/overlayfs/namei.c b/fs/overlayfs/namei.c |
| --- a/fs/overlayfs/namei.c |
| +++ b/fs/overlayfs/namei.c |
| @@ -1107,7 +1107,7 @@ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry, |
| ovl_dentry_update_reval(dentry, upperdentry, |
| DCACHE_OP_REVALIDATE | DCACHE_OP_WEAK_REVALIDATE); |
| |
| - revert_creds(old_cred); |
| + ovl_revert_creds(dentry->d_sb, old_cred); |
| if (origin_path) { |
| dput(origin_path->dentry); |
| kfree(origin_path); |
| @@ -1134,7 +1134,7 @@ struct dentry *ovl_lookup(struct inode *dir, struct dentry *dentry, |
| kfree(upperredirect); |
| out: |
| kfree(d.redirect); |
| - revert_creds(old_cred); |
| + ovl_revert_creds(dentry->d_sb, old_cred); |
| return ERR_PTR(err); |
| } |
| |
| @@ -1186,7 +1186,7 @@ bool ovl_lower_positive(struct dentry *dentry) |
| dput(this); |
| } |
| } |
| - revert_creds(old_cred); |
| + ovl_revert_creds(dentry->d_sb, old_cred); |
| |
| return positive; |
| } |
| diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h |
| --- a/fs/overlayfs/overlayfs.h |
| +++ b/fs/overlayfs/overlayfs.h |
| @@ -281,6 +281,7 @@ int ovl_want_write(struct dentry *dentry); |
| void ovl_drop_write(struct dentry *dentry); |
| struct dentry *ovl_workdir(struct dentry *dentry); |
| const struct cred *ovl_override_creds(struct super_block *sb); |
| +void ovl_revert_creds(struct super_block *sb, const struct cred *oldcred); |
| int ovl_can_decode_fh(struct super_block *sb); |
| struct dentry *ovl_indexdir(struct super_block *sb); |
| bool ovl_index_all(struct super_block *sb); |
| diff --git a/fs/overlayfs/ovl_entry.h b/fs/overlayfs/ovl_entry.h |
| --- a/fs/overlayfs/ovl_entry.h |
| +++ b/fs/overlayfs/ovl_entry.h |
| @@ -20,6 +20,7 @@ struct ovl_config { |
| bool metacopy; |
| bool userxattr; |
| bool ovl_volatile; |
| + bool override_creds; |
| }; |
| |
| struct ovl_sb { |
| diff --git a/fs/overlayfs/readdir.c b/fs/overlayfs/readdir.c |
| --- a/fs/overlayfs/readdir.c |
| +++ b/fs/overlayfs/readdir.c |
| @@ -286,7 +286,7 @@ static int ovl_check_whiteouts(struct dentry *dir, struct ovl_readdir_data *rdd) |
| } |
| inode_unlock(dir->d_inode); |
| } |
| - revert_creds(old_cred); |
| + ovl_revert_creds(rdd->dentry->d_sb, old_cred); |
| |
| return err; |
| } |
| @@ -967,7 +967,7 @@ int ovl_check_empty_dir(struct dentry *dentry, struct list_head *list) |
| |
| old_cred = ovl_override_creds(dentry->d_sb); |
| err = ovl_dir_read_merged(dentry, list, &root); |
| - revert_creds(old_cred); |
| + ovl_revert_creds(dentry->d_sb, old_cred); |
| if (err) |
| return err; |
| |
| diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c |
| --- a/fs/overlayfs/super.c |
| +++ b/fs/overlayfs/super.c |
| @@ -53,6 +53,11 @@ module_param_named(xino_auto, ovl_xino_auto_def, bool, 0644); |
| MODULE_PARM_DESC(xino_auto, |
| "Auto enable xino feature"); |
| |
| +static bool __read_mostly ovl_override_creds_def = true; |
| +module_param_named(override_creds, ovl_override_creds_def, bool, 0644); |
| +MODULE_PARM_DESC(ovl_override_creds_def, |
| + "Use mounter's credentials for accesses"); |
| + |
| static void ovl_entry_stack_free(struct ovl_entry *oe) |
| { |
| unsigned int i; |
| @@ -382,6 +387,9 @@ static int ovl_show_options(struct seq_file *m, struct dentry *dentry) |
| seq_puts(m, ",volatile"); |
| if (ofs->config.userxattr) |
| seq_puts(m, ",userxattr"); |
| + if (ofs->config.override_creds != ovl_override_creds_def) |
| + seq_show_option(m, "override_creds", |
| + ofs->config.override_creds ? "on" : "off"); |
| return 0; |
| } |
| |
| @@ -437,6 +445,8 @@ enum { |
| OPT_METACOPY_ON, |
| OPT_METACOPY_OFF, |
| OPT_VOLATILE, |
| + OPT_OVERRIDE_CREDS_ON, |
| + OPT_OVERRIDE_CREDS_OFF, |
| OPT_ERR, |
| }; |
| |
| @@ -459,6 +469,8 @@ static const match_table_t ovl_tokens = { |
| {OPT_METACOPY_ON, "metacopy=on"}, |
| {OPT_METACOPY_OFF, "metacopy=off"}, |
| {OPT_VOLATILE, "volatile"}, |
| + {OPT_OVERRIDE_CREDS_ON, "override_creds=on"}, |
| + {OPT_OVERRIDE_CREDS_OFF, "override_creds=off"}, |
| {OPT_ERR, NULL} |
| }; |
| |
| @@ -518,6 +530,7 @@ static int ovl_parse_opt(char *opt, struct ovl_config *config) |
| config->redirect_mode = kstrdup(ovl_redirect_mode_def(), GFP_KERNEL); |
| if (!config->redirect_mode) |
| return -ENOMEM; |
| + config->override_creds = ovl_override_creds_def; |
| |
| while ((p = ovl_next_opt(&opt)) != NULL) { |
| int token; |
| @@ -619,6 +632,14 @@ static int ovl_parse_opt(char *opt, struct ovl_config *config) |
| config->userxattr = true; |
| break; |
| |
| + case OPT_OVERRIDE_CREDS_ON: |
| + config->override_creds = true; |
| + break; |
| + |
| + case OPT_OVERRIDE_CREDS_OFF: |
| + config->override_creds = false; |
| + break; |
| + |
| default: |
| pr_err("unrecognized mount option \"%s\" or missing value\n", |
| p); |
| @@ -2138,7 +2159,6 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent) |
| kfree(splitlower); |
| |
| sb->s_root = root_dentry; |
| - |
| return 0; |
| |
| out_free_oe: |
| diff --git a/fs/overlayfs/util.c b/fs/overlayfs/util.c |
| --- a/fs/overlayfs/util.c |
| +++ b/fs/overlayfs/util.c |
| @@ -38,9 +38,17 @@ const struct cred *ovl_override_creds(struct super_block *sb) |
| { |
| struct ovl_fs *ofs = sb->s_fs_info; |
| |
| + if (!ofs->config.override_creds) |
| + return NULL; |
| return override_creds(ofs->creator_cred); |
| } |
| |
| +void ovl_revert_creds(struct super_block *sb, const struct cred *old_cred) |
| +{ |
| + if (old_cred) |
| + revert_creds(old_cred); |
| +} |
| + |
| /* |
| * Check if underlying fs supports file handles and try to determine encoding |
| * type, in order to deduce maximum inode number used by fs. |
| @@ -899,7 +907,7 @@ int ovl_nlink_start(struct dentry *dentry) |
| * value relative to the upper inode nlink in an upper inode xattr. |
| */ |
| err = ovl_set_nlink_upper(dentry); |
| - revert_creds(old_cred); |
| + ovl_revert_creds(dentry->d_sb, old_cred); |
| |
| out: |
| if (err) |
| @@ -917,7 +925,7 @@ void ovl_nlink_end(struct dentry *dentry) |
| |
| old_cred = ovl_override_creds(dentry->d_sb); |
| ovl_cleanup_index(dentry); |
| - revert_creds(old_cred); |
| + ovl_revert_creds(dentry->d_sb, old_cred); |
| } |
| |
| ovl_inode_unlock(inode); |
| -- |
| 2.33.0.882.g93a45727a2-goog |
| |