[lxc-devel] [lxcfs/master] bindings: allow getattr on O_WRONLY files
brauner on Github
lxc-bot at linuxcontainers.org
Thu Oct 6 23:02:45 UTC 2016
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 2474 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20161006/84678689/attachment.bin>
-------------- next part --------------
From c1ef53add0130e46dc9904fa80790c0ad78ab27e Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at canonical.com>
Date: Fri, 7 Oct 2016 00:59:53 +0200
Subject: [PATCH] bindings: allow getattr on O_WRONLY files
We should only deny getting the attributes of a file if it neither contains
O_RDONLY permission nor O_WRONLY permissions. Otherwise we ls -al will not show
attributes on O_WRONLY files. Such files are quite common under /proc or /sys.
BEFORE:
root at conventiont:~# ls -al /var/lib/lxcfs/cgroup/devices/
ls: cannot access '/var/lib/lxcfs/cgroup/devices/devices.allow': Permission denied
ls: cannot access '/var/lib/lxcfs/cgroup/devices/devices.deny': Permission denied
total 0
drwxr-xr-x 2 root root 0 Oct 7 01:00 .
drwxr-xr-x 2 root root 0 Oct 7 01:00 ..
-rw-r--r-- 1 root root 0 Oct 7 01:00 cgroup.clone_children
-rw-r--r-- 1 root root 0 Oct 7 01:00 cgroup.procs
-r--r--r-- 1 root root 0 Oct 7 01:00 cgroup.sane_behavior
?????????? ? ? ? ? ? devices.allow
?????????? ? ? ? ? ? devices.deny
-r--r--r-- 1 root root 0 Oct 7 01:00 devices.list
drwxr-xr-x 2 root root 0 Oct 7 01:00 init.scope
drwxr-xr-x 2 root root 0 Oct 7 01:00 lxc
-rw-r--r-- 1 root root 0 Oct 7 01:00 notify_on_release
-rw-r--r-- 1 root root 0 Oct 7 01:00 release_agent
drwxr-xr-x 2 root root 0 Oct 7 01:00 system.slice
-rw-r--r-- 1 root root 0 Oct 7 01:00 tasks
drwxr-xr-x 2 root root 0 Oct 7 01:00 user.slice
AFTER:
root at conventiont:~# ls -al /var/lib/lxcfs/cgroup/devices/
total 0
drwxr-xr-x 2 root root 0 Oct 7 01:01 .
drwxr-xr-x 2 root root 0 Oct 7 01:01 ..
-rw-r--r-- 1 root root 0 Oct 7 01:01 cgroup.clone_children
-rw-r--r-- 1 root root 0 Oct 7 01:01 cgroup.procs
-r--r--r-- 1 root root 0 Oct 7 01:01 cgroup.sane_behavior
--w------- 1 root root 0 Oct 7 01:01 devices.allow
--w------- 1 root root 0 Oct 7 01:01 devices.deny
-r--r--r-- 1 root root 0 Oct 7 01:01 devices.list
drwxr-xr-x 2 root root 0 Oct 7 01:01 init.scope
drwxr-xr-x 2 root root 0 Oct 7 01:01 lxc
-rw-r--r-- 1 root root 0 Oct 7 01:01 notify_on_release
-rw-r--r-- 1 root root 0 Oct 7 01:01 release_agent
drwxr-xr-x 2 root root 0 Oct 7 01:01 system.slice
-rw-r--r-- 1 root root 0 Oct 7 01:01 tasks
drwxr-xr-x 2 root root 0 Oct 7 01:01 user.slice
Signed-off-by: Christian Brauner <christian.brauner at canonical.com>
---
bindings.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/bindings.c b/bindings.c
index 2f78ab5..0ae8fcf 100644
--- a/bindings.c
+++ b/bindings.c
@@ -1673,7 +1673,13 @@ int cg_getattr(const char *path, struct stat *sb)
ret = -ENOENT;
goto out;
}
- if (!fc_may_access(fc, controller, path1, path2, O_RDONLY)) {
+ /* We should only deny getting the attributes of a file if it
+ * neither contains O_RDONLY permission nor O_WRONLY
+ * permissions. Otherwise we ls -al will not show attributes on
+ * O_WRONLY files. Such files are quite common under /proc or
+ * /sys. */
+ if (!fc_may_access(fc, controller, path1, path2, O_RDONLY) &&
+ !fc_may_access(fc, controller, path1, path2, O_WRONLY)) {
ret = -EACCES;
goto out;
}
More information about the lxc-devel
mailing list