ceph: Only allow mounts in the initial network namespace

Today ceph opens tcp sockets from a delayed work callback. Delayed work happens from kernel threads which are always in the initial network namespace. Therefore fail early if someone attempts to mount a ceph filesystem from something other than the initial network namespace. Cc: Sage Weil <sage@inktank.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
author: Eric W. Biederman <ebiederm@xmission.com> 2013-01-31 05:09:50 -0500
committer: Eric W. Biederman <ebiederm@xmission.com> 2013-02-12 06:19:23 -0500
commit: eea553c21fbfa486978c82525ee8256239d4f921 (patch)
tree: 45b6b0b51fd59806aa1e8836a1f563918b02eab4 /net
parent: bc1b69ed22a704fb1cc83d75b2eb46508a06c820 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/net/ceph/ceph_common.c b/net/ceph/ceph_common.c
index ee71ea26777a..1deb29af82fd 100644
--- a/net/ceph/ceph_common.c
+++ b/net/ceph/ceph_common.c
@@ -15,6 +15,8 @@
 #include <linux/slab.h>
 #include <linux/statfs.h>
 #include <linux/string.h>
+#include <linux/nsproxy.h>
+#include <net/net_namespace.h>
 #include <linux/ceph/ceph_features.h>
@@ -292,6 +294,9 @@ ceph_parse_options(char *options, const char *dev_name,
        int err = -ENOMEM;
        substring_t argstr[MAX_OPT_ARGS];
+        if (current->nsproxy->net_ns != &init_net)
+                return ERR_PTR(-EINVAL);
        opt = kzalloc(sizeof(*opt), GFP_KERNEL);
        if (!opt)
                return ERR_PTR(-ENOMEM);
author	Eric W. Biederman <ebiederm@xmission.com>	2013-01-31 05:09:50 -0500
committer	Eric W. Biederman <ebiederm@xmission.com>	2013-02-12 06:19:23 -0500
commit	eea553c21fbfa486978c82525ee8256239d4f921 (patch)
tree	45b6b0b51fd59806aa1e8836a1f563918b02eab4 /net
parent	bc1b69ed22a704fb1cc83d75b2eb46508a06c820 (diff)