From a3494944c885f6d7da3620af4f92275ec03cd2eb Mon Sep 17 00:00:00 2001 From: Andrew Walker Date: Wed, 15 Nov 2023 06:13:53 -0500 Subject: [PATCH] Remove inode_owner_or_capable override for secpolicy This commit fixes a bug whereby owner@ ACL that limits WRITE_DATA access for the owner of a file was not being properly enforced. The owner of a file should be prevented from write access in this case, but being owner of file should still allow the file owner to chmod, chown, and setacl. Signed-off-by: Andrew Walker --- module/os/linux/zfs/policy.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/module/os/linux/zfs/policy.c b/module/os/linux/zfs/policy.c index ebec1e93a436..a3801c605dd6 100644 --- a/module/os/linux/zfs/policy.c +++ b/module/os/linux/zfs/policy.c @@ -120,10 +120,7 @@ secpolicy_vnode_access2(const cred_t *cr, struct inode *ip, uid_t owner, return (0); } - if ((uid == owner) || (uid == 0)) - return (0); - - if (zpl_inode_owner_or_capable(kcred->user_ns, ip)) + if (uid == 0) return (0); #if defined(CONFIG_USER_NS)