locks: Don't allow mounts in user namespaces to enable mandatory locking

Since no one uses mandatory locking and files with mandatory locks can cause problems don't allow them in user namespaces. Signed-off-by: N "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: N Jeff Layton <jeff.layton@primarydata.com>

locks: Don't allow mounts in user namespaces to enable mandatory locking
Since no one uses mandatory locking and files with mandatory locks can cause problems don't allow them in user namespaces. Signed-off-by: N "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: N Jeff Layton <jeff.layton@primarydata.com>
95ace754 · Eric W. Biederman · Jeff Layton · 9e8925b6 · 95ace754
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

fs/namespace.c fs/namespace.c +1 -1

未找到文件。
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1589,7 +1589,7 @@ static inline bool may_mandlock(void)
 #ifndef	CONFIG_MANDATORY_FILE_LOCKING
 	return false;
 #endif
-	return true;
+	return capable(CAP_SYS_ADMIN);
 }

 /*