nfs: don't share mounts between network namespaces

There's no guarantee that an IP address in a different network namespace actually represents the same endpoint. Also, if we allow unprivileged nfs mounts some day then this might allow an unprivileged user in another network namespace to misdirect somebody else's nfs mounts. If sharing between containers is really what's wanted then that could still be arranged explicitly, for example with bind mounts. Reported-by: N "Eric W. Biederman" <ebiederm@redhat.com> Signed-off-by: N J. Bruce Fields <bfields@redhat.com> Signed-off-by: N Anna Schumaker <Anna.Schumaker@Netapp.com>

nfs: don't share mounts between network namespaces
There's no guarantee that an IP address in a different network namespace actually represents the same endpoint. Also, if we allow unprivileged nfs mounts some day then this might allow an unprivileged user in another network namespace to misdirect somebody else's nfs mounts. If sharing between containers is really what's wanted then that could still be arranged explicitly, for example with bind mounts. Reported-by: N "Eric W. Biederman" <ebiederm@redhat.com> Signed-off-by: N J. Bruce Fields <bfields@redhat.com> Signed-off-by: N Anna Schumaker <Anna.Schumaker@Netapp.com>
7e3fcf61 · J. Bruce Fields · Anna Schumaker · 11476e9d · 7e3fcf61
隐藏空白更改
内联并排

Showing with 5 addition and 0 deletion

fs/nfs/super.c fs/nfs/super.c +5 -0

未找到文件。
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -2408,6 +2408,11 @@ static int nfs_compare_super_address(struct nfs_server *server1,
 				     struct nfs_server *server2)
 {
 	struct sockaddr *sap1, *sap2;
+	struct rpc_xprt *xprt1 = server1->client->cl_xprt;
+	struct rpc_xprt *xprt2 = server2->client->cl_xprt;
+	if (!net_eq(xprt1->xprt_net, xprt2->xprt_net))
+		return 0;
 	sap1 = (struct sockaddr *)&server1->nfs_client->cl_addr;
 	sap2 = (struct sockaddr *)&server2->nfs_client->cl_addr;