criu · 5bdc16238b7bf7ffaa688506507f3fa5601bce71 · zhul / criu

files: try to change fsuid only if linkat() failed · 5bdc1623

Andrew Vagin authored Apr 19, 2016

We found that linkat for "unsafe" files doesn't work in userns
if a file uid isn't equal to the currect fsuid. This issue was
fixed by changing fsuid before calling linkat. But in this
case we are not able to createa link if a target directory doesn't
have write premissions.

Starting with the 4.3 kernel, it's possible to create links of
"unsafe files":

f2ca379642d7 ("namei: permit linking with CAP_FOWNER in userns")

So we can try to call linkat() without changing fsuid and make one
more attempt with changing fsuid if the first one failed with EPERM.
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
Signed-off-by: Pavel Emelyanov <xemul@virtuozzo.com>

5bdc1623

Name	Last commit	Last update
..
arch		Loading commit data...
include		Loading commit data...
pie		Loading commit data...
Makefile		Loading commit data...
Makefile.config		Loading commit data...
Makefile.crtools		Loading commit data...
Makefile.version		Loading commit data...
action-scripts.c		Loading commit data...
aio.c		Loading commit data...
bfd.c		Loading commit data...
bitmap.c		Loading commit data...
cgroup.c		Loading commit data...
cr-check.c		Loading commit data...
cr-dedup.c		Loading commit data...
cr-dump.c		Loading commit data...
cr-errno.c		Loading commit data...
cr-exec.c		Loading commit data...
cr-restore.c		Loading commit data...
cr-service.c		Loading commit data...
crtools.c		Loading commit data...
eventfd.c		Loading commit data...
eventpoll.c		Loading commit data...
fault-injection.c		Loading commit data...
fifo.c		Loading commit data...
file-ids.c		Loading commit data...
file-lock.c		Loading commit data...
files-ext.c		Loading commit data...
files-reg.c		Loading commit data...
files.c		Loading commit data...
fsnotify.c		Loading commit data...
image-desc.c		Loading commit data...
image.c		Loading commit data...
ipc_ns.c		Loading commit data...
irmap.c		Loading commit data...
kcmp-ids.c		Loading commit data...
kerndat.c		Loading commit data...
libnetlink.c		Loading commit data...
log.c		Loading commit data...
lsm.c		Loading commit data...
mem.c		Loading commit data...
mount.c		Loading commit data...
namespaces.c		Loading commit data...
net.c		Loading commit data...
netfilter.c		Loading commit data...
page-pipe.c		Loading commit data...
page-read.c		Loading commit data...
page-xfer.c		Loading commit data...
pagemap-cache.c		Loading commit data...
parasite-syscall.c		Loading commit data...
pie-util-fd.c		Loading commit data...
pie-util-vdso.c		Loading commit data...
pie-util.c		Loading commit data...
pipes.c		Loading commit data...
plugin.c		Loading commit data...
proc_parse.c		Loading commit data...
protobuf-desc.c		Loading commit data...
protobuf.c		Loading commit data...
pstree.c		Loading commit data...
ptrace.c		Loading commit data...
rbtree.c		Loading commit data...
rst-malloc.c		Loading commit data...
seccomp.c		Loading commit data...
seize.c		Loading commit data...
shmem.c		Loading commit data...
sigframe.c		Loading commit data...
signalfd.c		Loading commit data...
sk-inet.c		Loading commit data...
sk-netlink.c		Loading commit data...
sk-packet.c		Loading commit data...
sk-queue.c		Loading commit data...
sk-tcp.c		Loading commit data...
sk-unix.c		Loading commit data...
sockets.c		Loading commit data...
stats.c		Loading commit data...
string.c		Loading commit data...
sysctl.c		Loading commit data...
sysfs_parse.c		Loading commit data...
timerfd.c		Loading commit data...
tty.c		Loading commit data...
tun.c		Loading commit data...
util.c		Loading commit data...
uts_ns.c		Loading commit data...
vdso.c		Loading commit data...