[PATCH] mqueue permission fix

From: Manfred Spraul <manfred@colorfullife.com>

Any user can delete any entries in a mqueue mounted filesystem.  The attached
patch prevents that.

- remove the writable test from mq_unlink.

- set the sticky bit in the root inode.  This affects both mq_unlink and
  sys_unlink: only the owner (and root) should be allowed to remove queues.

diff --git a/ipc/mqueue.c b/ipc/mqueue.c
index 72f74d564f9b4262d900931e890ec6ac6b2f4fd2..8c54e3e81d229a4d1bd1301976b53df31b83e18a 100644 (file)
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -153,7 +153,7 @@ static int mqueue_fill_super(struct super_block *sb, void *data, int silent)
        sb->s_magic = MQUEUE_MAGIC;
        sb->s_op = &mqueue_super_ops;
 
-       inode = mqueue_get_inode(sb, S_IFDIR | S_IRWXUGO);
+       inode = mqueue_get_inode(sb, S_IFDIR | S_ISVTX | S_IRWXUGO);
        if (!inode)
                return -ENOMEM;
 
@@ -685,10 +685,6 @@ asmlinkage long sys_mq_unlink(const char __user *u_name)
                goto out_err;
        }
 
-       if (permission(dentry->d_inode, MAY_WRITE, NULL)) {
-               err = -EACCES;
-               goto out_err;
-       }
        inode = dentry->d_inode;
        if (inode)
                atomic_inc(&inode->i_count);