On Mon, 7 Dec 2020, Miklos Szeredi wrote: > ovl_ioctl_set_flags() does a capability check using flags, but then the > real ioctl double-fetches flags and uses potentially different value. > > The "Check the capability before cred override" comment misleading: user > can skip this check by presenting benign flags first and then overwriting > them to non-benign flags. Is this a security bug which should be fixed in stable? -- James Morris <jmorris@xxxxxxxxx>
