This fixes an issue in the cgroup device controller where device access checks were not enforced if he cgroup filesystem was already mounted before. As a result, processes could bypass device access restrictions.
Aleksei Oladko (2): fs: allow non-init s_user_ns for filesystems with FS_VE_MOUNT fs: enforce cgroup permissions for bdevs on mount block/blk.h | 1 - fs/super.c | 21 ++++++++++++++++++--- include/linux/blkdev.h | 1 + include/linux/fs.h | 1 + 4 files changed, 20 insertions(+), 4 deletions(-) -- 2.43.0 _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
