[Devel] [PATCH RH7] fs: prohibit remounting non-root mounts from ve user ns
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Thu Oct 22 08:31:46 PDT 2015
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
fs/namespace.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index 8909c13..2ed3f02 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1994,7 +1994,13 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
down_write(&sb->s_umount);
if (flags & MS_BIND)
err = change_mount_flags(path->mnt, flags);
- else if (!ve_capable(CAP_SYS_ADMIN))
+ else if (!(capable(CAP_SYS_ADMIN)
+ || (ve_capable(CAP_SYS_ADMIN) && IS_ROOT(path->mnt->mnt_root))))
+ /*
+ * Allow CT remount sb if the root of the mount is available
+ * that will prohibit remounting sb for bindmount from host
+ * if in-ct root is not equal to hosts mount root
+ */
err = -EPERM;
else
err = do_check_and_remount_sb(sb, flags, data);
--
1.9.3
More information about the Devel
mailing list