[Devel] [PATCH vz10 v5 0/2] cgroup/devices: Fix missing permission
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Fri Nov 21 12:50:14 MSK 2025
Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
On 11/20/25 20:44, Aleksei Oladko wrote:
> This fixes an issue in the cgroup device controller where device access
> checks were not enforced if he cgroup filesystem was already mounted
> before. As a result, processes could bypass device access
> restrictions.
>
> Aleksei Oladko (2):
> fs: allow non-init s_user_ns for filesystems with FS_VE_MOUNT
> fs: enforce cgroup permissions for bdevs on mount
>
> block/blk.h | 1 -
> drivers/mtd/mtdsuper.c | 2 +-
> fs/super.c | 26 +++++++++++++++++++++++---
> include/linux/blkdev.h | 1 +
> include/linux/fs.h | 1 +
> 5 files changed, 26 insertions(+), 5 deletions(-)
>
--
Best regards, Pavel Tikhomirov
Senior Software Developer, Virtuozzo.
More information about the Devel
mailing list