aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2011-11-13 15:16:43 -0500
committerEric W. Biederman <ebiederm@xmission.com>2012-04-03 07:28:51 -0400
commit975d6b3932d43b87a48d2107264ed0c9a7541d8d (patch)
treead82038ec23ccb2bdb00c1cdc13ae595e5a4dfbe /fs
parentdd775ae2549217d3ae09363e3edb305d0fa19928 (diff)
vfs: Don't allow a user namespace root to make device nodes
Safely making device nodes in a container is solvable but simply having the capability in a user namespace is not sufficient to make this work. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Diffstat (limited to 'fs')
-rw-r--r--fs/namei.c3
1 files changed, 1 insertions, 2 deletions
diff --git a/fs/namei.c b/fs/namei.c
index 1898198abc3d..701954d68ac7 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2560,8 +2560,7 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
2560 if (error) 2560 if (error)
2561 return error; 2561 return error;
2562 2562
2563 if ((S_ISCHR(mode) || S_ISBLK(mode)) && 2563 if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD))
2564 !ns_capable(inode_userns(dir), CAP_MKNOD))
2565 return -EPERM; 2564 return -EPERM;
2566 2565
2567 if (!dir->i_op->mknod) 2566 if (!dir->i_op->mknod)