diff options
Diffstat (limited to 'kernel/user_namespace.c')
| -rw-r--r-- | kernel/user_namespace.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index b14f4d342043..a54f26f82eb2 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c | |||
| @@ -61,6 +61,15 @@ int create_user_ns(struct cred *new) | |||
| 61 | kgid_t group = new->egid; | 61 | kgid_t group = new->egid; |
| 62 | int ret; | 62 | int ret; |
| 63 | 63 | ||
| 64 | /* | ||
| 65 | * Verify that we can not violate the policy of which files | ||
| 66 | * may be accessed that is specified by the root directory, | ||
| 67 | * by verifing that the root directory is at the root of the | ||
| 68 | * mount namespace which allows all files to be accessed. | ||
| 69 | */ | ||
| 70 | if (current_chrooted()) | ||
| 71 | return -EPERM; | ||
| 72 | |||
| 64 | /* The creator needs a mapping in the parent user namespace | 73 | /* The creator needs a mapping in the parent user namespace |
| 65 | * or else we won't be able to reasonably tell userspace who | 74 | * or else we won't be able to reasonably tell userspace who |
| 66 | * created a user_namespace. | 75 | * created a user_namespace. |
| @@ -87,6 +96,8 @@ int create_user_ns(struct cred *new) | |||
| 87 | 96 | ||
| 88 | set_cred_user_ns(new, ns); | 97 | set_cred_user_ns(new, ns); |
| 89 | 98 | ||
| 99 | update_mnt_policy(ns); | ||
| 100 | |||
| 90 | return 0; | 101 | return 0; |
| 91 | } | 102 | } |
| 92 | 103 | ||