[PATCH 1/1] Don't allow user namespaces to bind new subsystems

From: Serge Hallyn
Date: Mon Nov 16 2015 - 20:11:07 EST


If memory was not mounted on the host, then root in a container
should not be able to mount it.

Signed-off-by: Serge Hallyn <serge.hallyn@xxxxxxxxxx>
---
kernel/cgroup.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 0a3e893..db514b4 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2102,6 +2102,11 @@ static struct dentry *cgroup_mount(struct file_system_type *fs_type,
goto out_unlock;
}

+ if (!opts.none && !capable(CAP_SYS_ADMIN)) {
+ ret = -EPERM;
+ goto out_unlock;
+ }
+
root = kzalloc(sizeof(*root), GFP_KERNEL);
if (!root) {
ret = -ENOMEM;
--
2.5.0

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/