UBUNTU: SAUCE: Yama: verify inode is symlink to avoid bind mounts

The inode_follow_link LSM hook is called in bind mount situations as
well as for symlink situations, so we must explicitly check for the
inode being a symlink to not reject bind mounts in 1777 directories,
which seems to be a common NFSv4 configuration.

BugLink: https://bugs.launchpad.net/bugs/604407

[submitted upstream to security-next]

Signed-off-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com>

diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 4a5bc1a..1fb1f90 100644 (file)
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -285,9 +285,13 @@ int yama_inode_follow_link(struct dentry *dentry,
        if (!protected_sticky_symlinks)
                return 0;
 
+       /* if inode isn't a symlink, don't try to evaluate blocking it */
+       inode = dentry->d_inode;
+       if (!S_ISLNK(inode->i_mode))
+               return 0;
+
        /* owner and follower match? */
        cred = current_cred();
-       inode = dentry->d_inode;
        if (cred->fsuid == inode->i_uid)
                return 0;