The commit is pushed to "branch-rh7-3.10.0-229.7.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git after rh7-3.10.0-229.7.2.vz7.6.5 ------> commit cb03dcae8c9bf4e2d6d39ca82d8ead1b153d9205 Author: Andrew Vagin <ava...@openvz.org> Date: Tue Sep 1 18:55:49 2015 +0400
ve/fs: allow to mount devtmpfs in a non-root userns devtmpfs is virtualized, so it has to be secure. https://jira.sw.ru/browse/PSBM-39077 Signed-off-by: Andrew Vagin <ava...@openvz.org> Reviewed-by: Vladimir Davydov <vdavy...@parallels.com>` --- drivers/base/devtmpfs.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c index daf97ee..9f3809c 100644 --- a/drivers/base/devtmpfs.c +++ b/drivers/base/devtmpfs.c @@ -105,6 +105,9 @@ static struct dentry *ve_dev_mount(struct file_system_type *fs_type, int flags, static struct dentry *dev_mount(struct file_system_type *fs_type, int flags, const char *dev_name, void *data) { + if (get_exec_env()->init_cred->user_ns != current_user_ns()) + return ERR_PTR(-EPERM); + #ifdef CONFIG_VE if (!ve_is_super(get_exec_env())) return ve_dev_mount(fs_type, flags, dev_name, data); @@ -120,7 +123,7 @@ static struct file_system_type dev_fs_type = { .name = "devtmpfs", .mount = dev_mount, .kill_sb = kill_litter_super, - .fs_flags = FS_VIRTUALIZED, + .fs_flags = FS_VIRTUALIZED | FS_USERNS_MOUNT | FS_USERNS_DEV_MOUNT, }; #ifdef CONFIG_BLOCK _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel