On Thu, Apr 09, 2020 at 11:28:59PM +0200, Miklos Szeredi wrote:
> From: Miklos Szeredi <mszeredi@xxxxxxxxxx>
>
> Whiteouts, unlike real device node should not require privileges to create.
>
> The general concern with device nodes is that opening them can have side
> effects. The kernel already avoids zero major (see
> Documentation/admin-guide/devices.txt). To be on the safe side the patch
> explicitly forbids registering a char device with 0/0 number (see
> cdev_add()).
>
> This guarantees that a non-O_PATH open on a whiteout will fail with ENODEV;
> i.e. it won't have any side effect.
> int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
> {
> + bool is_whiteout = S_ISCHR(mode) && dev == WHITEOUT_DEV;
> int error = may_create(dir, dentry);
>
> if (error)
> return error;
>
> - if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD))
> + if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD) &&
> + !is_whiteout)
> return -EPERM;
Hmm... That exposes vfs_whiteout() to LSM; are you sure that you won't
end up with regressions for overlayfs on sufficiently weird setups?
