diff options
author | Eric W. Biederman <ebiederm@xmission.com> | 2011-11-13 12:16:43 -0800 |
---|---|---|
committer | Eric W. Biederman <ebiederm@xmission.com> | 2012-04-03 04:28:51 -0700 |
commit | 975d6b3932d43b87a48d2107264ed0c9a7541d8d (patch) | |
tree | ad82038ec23ccb2bdb00c1cdc13ae595e5a4dfbe | |
parent | dd775ae2549217d3ae09363e3edb305d0fa19928 (diff) | |
download | op-kernel-dev-975d6b3932d43b87a48d2107264ed0c9a7541d8d.zip op-kernel-dev-975d6b3932d43b87a48d2107264ed0c9a7541d8d.tar.gz |
vfs: Don't allow a user namespace root to make device nodes
Safely making device nodes in a container is solvable but simply
having the capability in a user namespace is not sufficient to make
this work.
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
-rw-r--r-- | fs/namei.c | 3 |
1 files changed, 1 insertions, 2 deletions
@@ -2560,8 +2560,7 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) if (error) return error; - if ((S_ISCHR(mode) || S_ISBLK(mode)) && - !ns_capable(inode_userns(dir), CAP_MKNOD)) + if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD)) return -EPERM; if (!dir->i_op->mknod) |