This fixes an issue in the cgroup device controller where device access checks were not enforced if he cgroup filesystem was already mounted before. As a result, processes could bypass device access restrictions.
Aleksei Oladko (2): fs: allow non-init s_user_ns for filesystems with FS_VE_MOUNT fs: enforce cgroup permissions for bdevs on mount block/blk.h | 1 - drivers/mtd/mtdsuper.c | 2 +- fs/super.c | 26 +++++++++++++++++++++++--- include/linux/blkdev.h | 1 + include/linux/fs.h | 1 + 5 files changed, 26 insertions(+), 5 deletions(-) -- 2.43.0 _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
