[Devel] [PATCH RHEL7 COMMIT] ve/fs: allow to mount devtmpfs in a non-root userns

Konstantin Khorenko Tue, 01 Sep 2015 08:07:47 -0700

The commit is pushed to "branch-rh7-3.10.0-229.7.2-ovz" and will appear at 
https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-229.7.2.vz7.6.5
------>
commit cb03dcae8c9bf4e2d6d39ca82d8ead1b153d9205
Author: Andrew Vagin <ava...@openvz.org>
Date:   Tue Sep 1 18:55:49 2015 +0400


    ve/fs: allow to mount devtmpfs in a non-root userns
    
    devtmpfs is virtualized, so it has to be secure.
    
    https://jira.sw.ru/browse/PSBM-39077
    
    Signed-off-by: Andrew Vagin <ava...@openvz.org>
    Reviewed-by: Vladimir Davydov <vdavy...@parallels.com>`
---
 drivers/base/devtmpfs.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c
index daf97ee..9f3809c 100644
--- a/drivers/base/devtmpfs.c
+++ b/drivers/base/devtmpfs.c
@@ -105,6 +105,9 @@ static struct dentry *ve_dev_mount(struct file_system_type 
*fs_type, int flags,
 static struct dentry *dev_mount(struct file_system_type *fs_type, int flags,
                      const char *dev_name, void *data)
 {
+       if (get_exec_env()->init_cred->user_ns != current_user_ns())
+               return ERR_PTR(-EPERM);
+
 #ifdef CONFIG_VE
        if (!ve_is_super(get_exec_env()))
                return ve_dev_mount(fs_type, flags, dev_name, data);
@@ -120,7 +123,7 @@ static struct file_system_type dev_fs_type = {
        .name = "devtmpfs",
        .mount = dev_mount,
        .kill_sb = kill_litter_super,
-       .fs_flags = FS_VIRTUALIZED,
+       .fs_flags = FS_VIRTUALIZED | FS_USERNS_MOUNT | FS_USERNS_DEV_MOUNT,
 };
 
 #ifdef CONFIG_BLOCK
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

[Devel] [PATCH RHEL7 COMMIT] ve/fs: allow to mount devtmpfs in a non-root userns

Reply via email to