[PATCH v5 13/16] ima: Move some IMA policy and filesystem related variables into ima_namespace

Stefan Berger stefanb at linux.ibm.com
Fri Dec 10 20:08:27 UTC 2021


On 12/10/21 06:32, Christian Brauner wrote:
>  From ecf25d6b2b5895005d4103169bdb55d970e7a865 Mon Sep 17 00:00:00 2001
> From: Christian Brauner<christian.brauner at ubuntu.com>
> Date: Fri, 10 Dec 2021 11:56:25 +0100
> Subject: [PATCH 2/2] !!!! HERE BE DRAGONS - COMPLETELY UNTESTED !!!!
>
> securityfs: don't allow mounting from outside the filesystem's userns
>
> If we ever need to allow that we should revisit the semantics.
> ---
>   security/inode.c | 5 ++++-
>   1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/security/inode.c b/security/inode.c
> index eaccba7017d9..71f9634228f3 100644
> --- a/security/inode.c
> +++ b/security/inode.c
> @@ -43,7 +43,10 @@ static int securityfs_fill_super(struct super_block *sb, struct fs_context *fc)
>   {
>   	static const struct tree_descr files[] = {{""}};
>   	struct user_namespace *ns = fc->user_ns;
> -	int error;
> +	int error = -EINVAL;
> +
> +	if (WARN_ON(ns != current_user_ns()))
> +		return error;
>   
>   	error = simple_fill_super(sb, SECURITYFS_MAGIC, files);
>   	if (error)


Oops, I hadn't seen this patch. How can one 'mount from outside the 
filesystem's userns'?




More information about the Linux-security-module-archive mailing list