vfs: Don't allow a user namespace root to make device nodes
Safely making device nodes in a container is solvable but simply having the capability in a user namespace is not sufficient to make this work. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
This commit is contained in:
parent
dd775ae254
commit
975d6b3932
|
@ -2560,8 +2560,7 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
|
||||||
if (error)
|
if (error)
|
||||||
return error;
|
return error;
|
||||||
|
|
||||||
if ((S_ISCHR(mode) || S_ISBLK(mode)) &&
|
if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD))
|
||||||
!ns_capable(inode_userns(dir), CAP_MKNOD))
|
|
||||||
return -EPERM;
|
return -EPERM;
|
||||||
|
|
||||||
if (!dir->i_op->mknod)
|
if (!dir->i_op->mknod)
|
||||||
|
|
Loading…
Reference in New Issue