| From foo@baz Mon Dec 18 14:12:34 CET 2017 |
| From: Marc Dionne <marc.dionne@auristor.com> |
| Date: Thu, 16 Mar 2017 16:27:44 +0000 |
| Subject: afs: Adjust mode bits processing |
| |
| From: Marc Dionne <marc.dionne@auristor.com> |
| |
| |
| [ Upstream commit 627f46943ff90bcc32ddeb675d881c043c6fa2ae ] |
| |
| Mode bits for an afs file should not be enforced in the usual |
| way. |
| |
| For files, the absence of user bits can restrict file access |
| with respect to what is granted by the server. |
| |
| These bits apply regardless of the owner or the current uid; the |
| rest of the mode bits (group, other) are ignored. |
| |
| Signed-off-by: Marc Dionne <marc.dionne@auristor.com> |
| Signed-off-by: David Howells <dhowells@redhat.com> |
| Signed-off-by: Sasha Levin <alexander.levin@verizon.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| fs/afs/security.c | 7 ++++++- |
| 1 file changed, 6 insertions(+), 1 deletion(-) |
| |
| --- a/fs/afs/security.c |
| +++ b/fs/afs/security.c |
| @@ -340,17 +340,22 @@ int afs_permission(struct inode *inode, |
| } else { |
| if (!(access & AFS_ACE_LOOKUP)) |
| goto permission_denied; |
| + if ((mask & MAY_EXEC) && !(inode->i_mode & S_IXUSR)) |
| + goto permission_denied; |
| if (mask & (MAY_EXEC | MAY_READ)) { |
| if (!(access & AFS_ACE_READ)) |
| goto permission_denied; |
| + if (!(inode->i_mode & S_IRUSR)) |
| + goto permission_denied; |
| } else if (mask & MAY_WRITE) { |
| if (!(access & AFS_ACE_WRITE)) |
| goto permission_denied; |
| + if (!(inode->i_mode & S_IWUSR)) |
| + goto permission_denied; |
| } |
| } |
| |
| key_put(key); |
| - ret = generic_permission(inode, mask); |
| _leave(" = %d", ret); |
| return ret; |
| |
