diff options
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/pid_namespace.c | 3 | ||||
| -rw-r--r-- | kernel/user.c | 2 | ||||
| -rw-r--r-- | kernel/user_namespace.c | 11 |
3 files changed, 15 insertions, 1 deletions
diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c index c1c3dc1c6023..bea15bdf82b0 100644 --- a/kernel/pid_namespace.c +++ b/kernel/pid_namespace.c | |||
| @@ -181,6 +181,7 @@ void zap_pid_ns_processes(struct pid_namespace *pid_ns) | |||
| 181 | int nr; | 181 | int nr; |
| 182 | int rc; | 182 | int rc; |
| 183 | struct task_struct *task, *me = current; | 183 | struct task_struct *task, *me = current; |
| 184 | int init_pids = thread_group_leader(me) ? 1 : 2; | ||
| 184 | 185 | ||
| 185 | /* Don't allow any more processes into the pid namespace */ | 186 | /* Don't allow any more processes into the pid namespace */ |
| 186 | disable_pid_allocation(pid_ns); | 187 | disable_pid_allocation(pid_ns); |
| @@ -230,7 +231,7 @@ void zap_pid_ns_processes(struct pid_namespace *pid_ns) | |||
| 230 | */ | 231 | */ |
| 231 | for (;;) { | 232 | for (;;) { |
| 232 | set_current_state(TASK_UNINTERRUPTIBLE); | 233 | set_current_state(TASK_UNINTERRUPTIBLE); |
| 233 | if (pid_ns->nr_hashed == 1) | 234 | if (pid_ns->nr_hashed == init_pids) |
| 234 | break; | 235 | break; |
| 235 | schedule(); | 236 | schedule(); |
| 236 | } | 237 | } |
diff --git a/kernel/user.c b/kernel/user.c index e81978e8c03b..8e635a18ab52 100644 --- a/kernel/user.c +++ b/kernel/user.c | |||
| @@ -51,6 +51,8 @@ struct user_namespace init_user_ns = { | |||
| 51 | .owner = GLOBAL_ROOT_UID, | 51 | .owner = GLOBAL_ROOT_UID, |
| 52 | .group = GLOBAL_ROOT_GID, | 52 | .group = GLOBAL_ROOT_GID, |
| 53 | .proc_inum = PROC_USER_INIT_INO, | 53 | .proc_inum = PROC_USER_INIT_INO, |
| 54 | .may_mount_sysfs = true, | ||
| 55 | .may_mount_proc = true, | ||
| 54 | }; | 56 | }; |
| 55 | EXPORT_SYMBOL_GPL(init_user_ns); | 57 | EXPORT_SYMBOL_GPL(init_user_ns); |
| 56 | 58 | ||
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c index b14f4d342043..a54f26f82eb2 100644 --- a/kernel/user_namespace.c +++ b/kernel/user_namespace.c | |||
| @@ -61,6 +61,15 @@ int create_user_ns(struct cred *new) | |||
| 61 | kgid_t group = new->egid; | 61 | kgid_t group = new->egid; |
| 62 | int ret; | 62 | int ret; |
| 63 | 63 | ||
| 64 | /* | ||
| 65 | * Verify that we can not violate the policy of which files | ||
| 66 | * may be accessed that is specified by the root directory, | ||
| 67 | * by verifing that the root directory is at the root of the | ||
| 68 | * mount namespace which allows all files to be accessed. | ||
| 69 | */ | ||
| 70 | if (current_chrooted()) | ||
| 71 | return -EPERM; | ||
| 72 | |||
| 64 | /* The creator needs a mapping in the parent user namespace | 73 | /* The creator needs a mapping in the parent user namespace |
| 65 | * or else we won't be able to reasonably tell userspace who | 74 | * or else we won't be able to reasonably tell userspace who |
| 66 | * created a user_namespace. | 75 | * created a user_namespace. |
| @@ -87,6 +96,8 @@ int create_user_ns(struct cred *new) | |||
| 87 | 96 | ||
| 88 | set_cred_user_ns(new, ns); | 97 | set_cred_user_ns(new, ns); |
| 89 | 98 | ||
| 99 | update_mnt_policy(ns); | ||
| 100 | |||
| 90 | return 0; | 101 | return 0; |
| 91 | } | 102 | } |
| 92 | 103 | ||