anon_inodes: mark the anon inode private

Inotify was switched to use anon_inode instead of its own private filesystem which only had one inode in commit c44dcc56 "switch inotify_user to anon_inode" The problem with this is that now the inotify inode is not a distinct inode which can be managed by LSMs. userspace tools which use inotify were allowed to use the inotify inode but may not have had permission to do read/write type operations on the anon_inode. After looking at the anon_inode and its users it looks like the best solution is to just mark the anon_inode as S_PRIVATE so the security system will ignore it. Signed-off-by: N Eric Paris <eparis@redhat.com> Acked-by: N James Morris <jmorris@namei.org> Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org>

anon_inodes: mark the anon inode private
Inotify was switched to use anon_inode instead of its own private filesystem which only had one inode in commit c44dcc56 "switch inotify_user to anon_inode" The problem with this is that now the inotify inode is not a distinct inode which can be managed by LSMs. userspace tools which use inotify were allowed to use the inotify inode but may not have had permission to do read/write type operations on the anon_inode. After looking at the anon_inode and its users it looks like the best solution is to just mark the anon_inode as S_PRIVATE so the security system will ignore it. Signed-off-by: N Eric Paris <eparis@redhat.com> Acked-by: N James Morris <jmorris@namei.org> Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org>
3836a03d · Eric Paris · Linus Torvalds · 83c0fb65 · 3836a03d
隐藏空白更改
内联并排

Showing with 1 addition and 0 deletion

fs/anon_inodes.c fs/anon_inodes.c +1 -0

未找到文件。
--- a/fs/anon_inodes.c
+++ b/fs/anon_inodes.c
@@ -209,6 +209,7 @@ static struct inode *anon_inode_mkinode(void)
 	inode->i_mode = S_IRUSR | S_IWUSR;
 	inode->i_uid = current_fsuid();
 	inode->i_gid = current_fsgid();
+	inode->i_flags |= S_PRIVATE;
 	inode->i_atime = inode->i_mtime = inode->i_ctime = CURRENT_TIME;
 	return inode;
 }