[Devel] [PATCH vz10 v4 0/2] cgroup/devices: Fix missing permission
Aleksei Oladko
aleksey.oladko at virtuozzo.com
Tue Nov 18 02:14:46 MSK 2025
This fixes an issue in the cgroup device controller where device access
checks were not enforced if he cgroup filesystem was already mounted
before. As a result, processes could bypass device access
restrictions.
Aleksei Oladko (2):
fs: allow non-init s_user_ns for filesystems with FS_VE_MOUNT
fs: enforce cgroup permissions for bdevs on mount
block/blk.h | 1 -
fs/super.c | 21 ++++++++++++++++++---
include/linux/blkdev.h | 1 +
include/linux/fs.h | 1 +
4 files changed, 20 insertions(+), 4 deletions(-)
--
2.43.0
More information about the Devel
mailing list