[Devel] [PATCH vz10 v4 0/2] cgroup/devices: Fix missing permission
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Tue Nov 18 06:18:54 MSK 2025
Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
On 11/18/25 07:14, Aleksei Oladko wrote:
> This fixes an issue in the cgroup device controller where device access
> checks were not enforced if he cgroup filesystem was already mounted
> before. As a result, processes could bypass device access
> restrictions.
>
> Aleksei Oladko (2):
> fs: allow non-init s_user_ns for filesystems with FS_VE_MOUNT
> fs: enforce cgroup permissions for bdevs on mount
>
> block/blk.h | 1 -
> fs/super.c | 21 ++++++++++++++++++---
> include/linux/blkdev.h | 1 +
> include/linux/fs.h | 1 +
> 4 files changed, 20 insertions(+), 4 deletions(-)
>
--
Best regards, Pavel Tikhomirov
Senior Software Developer, Virtuozzo.
More information about the Devel
mailing list