git.baikalelectronics.ru Git - kernel.git/commit

author	Amir Goldstein <amir73il@gmail.com>
	Mon, 24 May 2021 13:53:21 +0000 (16:53 +0300)
committer	Jan Kara <jack@suse.cz>
	Tue, 25 May 2021 10:21:14 +0000 (12:21 +0200)
commit	c118a42455459d5f964d466280193675c802bfeb
tree	cd0170b7b0d8e5a4e73334394683ff0f02cf7bb8	tree \| snapshot
parent	37b933a8dd4ef4cd9041128c2ff8526e9964298d	commit \| diff

fanotify: fix permission model of unprivileged group

Reporting event->pid should depend on the privileges of the user that
initialized the group, not the privileges of the user reading the
events.

Use an internal group flag FANOTIFY_UNPRIV to record the fact that the
group was initialized by an unprivileged user.

To be on the safe side, the premissions to setup filesystem and mount
marks now require that both the user that initialized the group and
the user setting up the mark have CAP_SYS_ADMIN.

Link: https://lore.kernel.org/linux-fsdevel/CAOQ4uxiA77_P5vtv7e83g0+9d7B5W9ZTE4GfQEYbWmfT1rA=VA@mail.gmail.com/
Fixes: d3402cec146a ("fanotify: support limited functionality for unprivileged users")
Cc: <Stable@vger.kernel.org> # v5.12+
Link: https://lore.kernel.org/r/20210524135321.2190062-1-amir73il@gmail.com
Reviewed-by: Matthew Bobrowski <repnop@google.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>

fs/notify/fanotify/fanotify_user.c		diff \| blob \| history
fs/notify/fdinfo.c		diff \| blob \| history
include/linux/fanotify.h		diff \| blob \| history