From: John Stultz <john.stultz@xxxxxxxxxx> Using old_creds as an indication that we are not overriding the credentials, bypass call to inode_owner_or_capable. This solves a problem with all execv calls being blocked when using the caller's credentials. Signed-off-by: John Stultz <john.stultz@xxxxxxxxxx> Signed-off-by: Mark Salyzyn <salyzyn@xxxxxxxxxxx> Fixes: 05acefb4872da ("ovl: check permission to open real file") C: linux-fsdevel@xxxxxxxxxxxxxxx C: linux-unionfs@xxxxxxxxxxxxxxx Cc: Stephen Smalley <sds@xxxxxxxxxxxxx> Cc: linux-kernel@xxxxxxxxxxxxxxx Cc: linux-security-module@xxxxxxxxxxxxxxx Cc: kernel-team@xxxxxxxxxxx Cc: selinux@xxxxxxxxxxxxxxx v18 - rebase v17 - rebase v16 - introduced fix over rebased series --- fs/overlayfs/file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c index b1357bb067d9..9ab9663b02d8 100644 --- a/fs/overlayfs/file.c +++ b/fs/overlayfs/file.c @@ -53,7 +53,7 @@ static struct file *ovl_open_realfile(const struct file *file, err = inode_permission(realinode, MAY_OPEN | acc_mode); if (err) { realfile = ERR_PTR(err); - } else if (!inode_owner_or_capable(realinode)) { + } else if (old_cred && !inode_owner_or_capable(realinode)) { realfile = ERR_PTR(-EPERM); } else { realfile = open_with_fake_path(&file->f_path, flags, realinode, -- 2.29.0.rc1.297.gfa9743e501-goog