[PATCH 2/2] !!!! HERE BE DRAGONS - COMPLETELY UNTESTED !!!!

From: Christian Brauner
Date: Fri Dec 10 2021 - 05:56:25 EST

Next message: Peter Zijlstra: "Re: [PATCH] block: switch to atomic_t for request references"
Previous message: Mel Gorman: "Re: [PATCH v2 3/3] mm/page_alloc: Remotely drain per-cpu lists"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

securityfs: don't allow mounting from outside the filesystem's userns

If we ever need to allow that we should revisit the semantics.
---
security/inode.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/security/inode.c b/security/inode.c
index eaccba7017d9..71f9634228f3 100644
--- a/security/inode.c
+++ b/security/inode.c
@@ -43,7 +43,10 @@ static int securityfs_fill_super(struct super_block *sb, struct fs_context *fc)
{
static const struct tree_descr files[] = {{""}};
struct user_namespace *ns = fc->user_ns;
- int error;
+ int error = -EINVAL;
+
+ if (WARN_ON(ns != current_user_ns()))
+ return error;

error = simple_fill_super(sb, SECURITYFS_MAGIC, files);
if (error)
--
2.30.2

Next message: Peter Zijlstra: "Re: [PATCH] block: switch to atomic_t for request references"
Previous message: Mel Gorman: "Re: [PATCH v2 3/3] mm/page_alloc: Remotely drain per-cpu lists"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]