path: root/fs/seq_file.c
diff options
authorLinus Torvalds <torvalds@linux-foundation.org>2016-04-14 11:22:00 -0700
committerLinus Torvalds <torvalds@linux-foundation.org>2016-04-14 12:56:09 -0700
commit34dbbcdbf63360661ff7bda6c5f52f99ac515f92 (patch)
tree56152a152ec895f7b9f49d529f2248b9c4eaed1f /fs/seq_file.c
parent4046d6e81f33b7ef50d6668b78076d54c5e066b6 (diff)
Make file credentials available to the seqfile interfaces
A lot of seqfile users seem to be using things like %pK that uses the credentials of the current process, but that is actually completely wrong for filesystem interfaces. The unix semantics for permission checking files is to check permissions at _open_ time, not at read or write time, and that is not just a small detail: passing off stdin/stdout/stderr to a suid application and making the actual IO happen in privileged context is a classic exploit technique. So if we want to be able to look at permissions at read time, we need to use the file open credentials, not the current ones. Normal file accesses can just use "f_cred" (or any of the helper functions that do that, like file_ns_capable()), but the seqfile interfaces do not have any such options. It turns out that seq_file _does_ save away the user_ns information of the file, though. Since user_ns is just part of the full credential information, replace that special case with saving off the cred pointer instead, and suddenly seq_file has all the permission information it needs. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/seq_file.c')
1 files changed, 4 insertions, 3 deletions
diff --git a/fs/seq_file.c b/fs/seq_file.c
index e85664b7c7d9..19f532e7d35e 100644
--- a/fs/seq_file.c
+++ b/fs/seq_file.c
@@ -72,9 +72,10 @@ int seq_open(struct file *file, const struct seq_operations *op)
p->op = op;
- p->user_ns = file->f_cred->user_ns;
+ // No refcounting: the lifetime of 'p' is constrained
+ // to the lifetime of the file.
+ p->file = file;
* Wrappers around seq_open(e.g. swaps_open) need to be