We don't want to allow creation of private hardlinks by different application
using the fd passed to them via SCM_RIGHTS. So limit the null relative name
usage in linkat syscall to CAP_DAC_READ_SEARCH
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@xxxxxxxxxxxxxxxxxx>
---
fs/namei.c | 21 +++++++++++++++++++++
1 files changed, 21 insertions(+), 0 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index 990b155..5c4902c 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -3408,6 +3408,18 @@ int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_de
return error;
}
+static int null_name(const char __user *name)
+{
+ int retval = 0;
+ char *tmp = getname_null(name);
+ if (!IS_ERR(tmp)) {
+ if (*tmp == 0)
+ retval = 1;
+ }
+ putname(tmp);
+ return retval;
+}
+
/*
* Hardlinks are often used in delicate situations. We avoid
* security-related surprises by not following symlinks on the
@@ -3428,6 +3440,15 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
if ((flags & ~AT_SYMLINK_FOLLOW) != 0)
return -EINVAL;
+ /*
+ * To use null names we require CAP_DAC_READ_SEARCH
+ * This ensures that not everyone will be able to create
+ * handlink using the passed filedescriptor.
+ */
+ if (null_name(oldname)) {
+ if (!capable(CAP_DAC_READ_SEARCH))
+ return -ENOENT;
+ }
error = user_path_at(olddfd, oldname,
flags & AT_SYMLINK_FOLLOW ? LOOKUP_FOLLOW : 0,
--
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
