• Jan Kara's avatar
    fs: Avoid premature clearing of capabilities · de42b955
    Jan Kara authored
    [ Upstream commit 030b533c ]
    
    Currently, notify_change() clears capabilities or IMA attributes by
    calling security_inode_killpriv() before calling into ->setattr. Thus it
    happens before any other permission checks in inode_change_ok() and user
    is thus allowed to trigger clearing of capabilities or IMA attributes
    for any file he can look up e.g. by calling chown for that file. This is
    unexpected and can lead to user DoSing a system.
    
    Fix the problem by calling security_inode_killpriv() at the end of
    inode_change_ok() instead of from notify_change(). At that moment we are
    sure user has permissions to do the requested change.
    
    References: CVE-2015-1350
    Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
    Signed-off-by: default avatarJan Kara <jack@suse.cz>
    Signed-off-by: default avatarPhilipp Hahn <hahn@univention.de>
    Signed-off-by: default avatarSasha Levin <alexander.levin@verizon.com>
    de42b955
attr.c 8.24 KB