Skip to content

Commit

Permalink
vfs: Don't allow a user namespace root to make device nodes
Browse files Browse the repository at this point in the history 
Safely making device nodes in a container is solvable but simply
having the capability in a user namespace is not sufficient to make
this work.

Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
  • Loading branch information
Eric W. Biederman committed Apr 3, 2012
1 parent dd775ae commit 975d6b3
Showing 1 changed file with 1 addition and 2 deletions.
3 changes: 1 addition & 2 deletions fs/namei.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2560,8 +2560,7 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
if (error)
return error;

if ((S_ISCHR(mode) || S_ISBLK(mode)) &&
!ns_capable(inode_userns(dir), CAP_MKNOD))
if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD))
return -EPERM;

if (!dir->i_op->mknod)
Expand Down

0 comments on commit 975d6b3

Please sign in to comment.