[PATCH v5 13/16] ima: Move some IMA policy and filesystem related variables into ima_namespace
Stefan Berger
stefanb at linux.ibm.com
Fri Dec 10 20:08:27 UTC 2021
On 12/10/21 06:32, Christian Brauner wrote:
> From ecf25d6b2b5895005d4103169bdb55d970e7a865 Mon Sep 17 00:00:00 2001
> From: Christian Brauner<christian.brauner at ubuntu.com>
> Date: Fri, 10 Dec 2021 11:56:25 +0100
> Subject: [PATCH 2/2] !!!! HERE BE DRAGONS - COMPLETELY UNTESTED !!!!
>
> securityfs: don't allow mounting from outside the filesystem's userns
>
> If we ever need to allow that we should revisit the semantics.
> ---
> security/inode.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/security/inode.c b/security/inode.c
> index eaccba7017d9..71f9634228f3 100644
> --- a/security/inode.c
> +++ b/security/inode.c
> @@ -43,7 +43,10 @@ static int securityfs_fill_super(struct super_block *sb, struct fs_context *fc)
> {
> static const struct tree_descr files[] = {{""}};
> struct user_namespace *ns = fc->user_ns;
> - int error;
> + int error = -EINVAL;
> +
> + if (WARN_ON(ns != current_user_ns()))
> + return error;
>
> error = simple_fill_super(sb, SECURITYFS_MAGIC, files);
> if (error)
Oops, I hadn't seen this patch. How can one 'mount from outside the
filesystem's userns'?
More information about the Linux-security-module-archive
mailing list