vfs: Don't allow a user namespace root to make device nodes

Safely making device nodes in a container is solvable but simply having the capability in a user namespace is not sufficient to make this work. Acked-by: N Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: N Eric W. Biederman <ebiederm@xmission.com>

vfs: Don't allow a user namespace root to make device nodes
Safely making device nodes in a container is solvable but simply having the capability in a user namespace is not sufficient to make this work. Acked-by: N Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: N Eric W. Biederman <ebiederm@xmission.com>
975d6b39 · Eric W. Biederman · dd775ae2 · 975d6b39
隐藏空白更改
内联并排

Showing with 1 addition and 2 deletion

fs/namei.c fs/namei.c +1 -2

未找到文件。
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2560,8 +2560,7 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
 	if (error)
 		return error;

-	if ((S_ISCHR(mode) || S_ISBLK(mode)) &&
-	    !ns_capable(inode_userns(dir), CAP_MKNOD))
+	if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD))
 		return -EPERM;

 	if (!dir->i_op->mknod)