[Devel] [PATCH RHEL7 COMMIT] ve/fs: allow to mount devtmpfs in a non-root userns
Konstantin Khorenko
khorenko at virtuozzo.com
Tue Sep 1 07:56:44 PDT 2015
The commit is pushed to "branch-rh7-3.10.0-229.7.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-229.7.2.vz7.6.5
------>
commit cb03dcae8c9bf4e2d6d39ca82d8ead1b153d9205
Author: Andrew Vagin <avagin at openvz.org>
Date: Tue Sep 1 18:55:49 2015 +0400
ve/fs: allow to mount devtmpfs in a non-root userns
devtmpfs is virtualized, so it has to be secure.
https://jira.sw.ru/browse/PSBM-39077
Signed-off-by: Andrew Vagin <avagin at openvz.org>
Reviewed-by: Vladimir Davydov <vdavydov at parallels.com>`
---
drivers/base/devtmpfs.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c
index daf97ee..9f3809c 100644
--- a/drivers/base/devtmpfs.c
+++ b/drivers/base/devtmpfs.c
@@ -105,6 +105,9 @@ static struct dentry *ve_dev_mount(struct file_system_type *fs_type, int flags,
static struct dentry *dev_mount(struct file_system_type *fs_type, int flags,
const char *dev_name, void *data)
{
+ if (get_exec_env()->init_cred->user_ns != current_user_ns())
+ return ERR_PTR(-EPERM);
+
#ifdef CONFIG_VE
if (!ve_is_super(get_exec_env()))
return ve_dev_mount(fs_type, flags, dev_name, data);
@@ -120,7 +123,7 @@ static struct file_system_type dev_fs_type = {
.name = "devtmpfs",
.mount = dev_mount,
.kill_sb = kill_litter_super,
- .fs_flags = FS_VIRTUALIZED,
+ .fs_flags = FS_VIRTUALIZED | FS_USERNS_MOUNT | FS_USERNS_DEV_MOUNT,
};
#ifdef CONFIG_BLOCK
More information about the Devel
mailing list