From c16e5b47f3442ab412c02092ed4cb7db1bc1a962 Mon Sep 17 00:00:00 2001
From: Andy Whitcroft <apw@canonical.com>
Date: Tue, 17 Jan 2012 11:48:23 +0000
Subject: [PATCH] overlayfs: apply device cgroup and security permissions to
 overlay files

When checking permissions on an overlayfs inode we do not take into
account either device cgroup restrictions nor security permissions.
This allows a user to mount an overlayfs layer over a restricted device
directory and by pass those permissions to open otherwise restricted
files.

Use devcgroup_inode_permission() and security_inode_permission() against
the underlying inodes when calculating ovl_permission().

Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 fs/overlayfs/inode.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
index ba1a777..1145a76 100644
--- a/fs/overlayfs/inode.c
+++ b/fs/overlayfs/inode.c
@@ -10,6 +10,8 @@
 #include <linux/fs.h>
 #include <linux/slab.h>
 #include <linux/xattr.h>
+#include <linux/device_cgroup.h>
+#include <linux/security.h>
 #include "overlayfs.h"
 
 int ovl_setattr(struct dentry *dentry, struct iattr *attr)
@@ -118,6 +120,11 @@ int ovl_permission(struct inode *inode, int mask)
 		err = realinode->i_op->permission(realinode, mask);
 	else
 		err = generic_permission(realinode, mask);
+
+	if (!err)
+		err = devcgroup_inode_permission(realinode, mask);
+	if (!err)
+		err = security_inode_permission(realinode, mask);
 out_dput:
 	dput(alias);
 	return err;
-- 
1.7.5.4