Re: [PATCH v5 13/16] ima: Move some IMA policy and filesystem related variables into ima_namespace
From: Stefan Berger
Date: Fri Dec 10 2021 - 15:08:44 EST
On 12/10/21 06:32, Christian Brauner wrote:
From ecf25d6b2b5895005d4103169bdb55d970e7a865 Mon Sep 17 00:00:00 2001
From: Christian Brauner<christian.brauner@xxxxxxxxxx>
Date: Fri, 10 Dec 2021 11:56:25 +0100
Subject: [PATCH 2/2] !!!! HERE BE DRAGONS - COMPLETELY UNTESTED !!!!
securityfs: don't allow mounting from outside the filesystem's userns
If we ever need to allow that we should revisit the semantics.
---
security/inode.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/security/inode.c b/security/inode.c
index eaccba7017d9..71f9634228f3 100644
--- a/security/inode.c
+++ b/security/inode.c
@@ -43,7 +43,10 @@ static int securityfs_fill_super(struct super_block *sb, struct fs_context *fc)
{
static const struct tree_descr files[] = {{""}};
struct user_namespace *ns = fc->user_ns;
- int error;
+ int error = -EINVAL;
+
+ if (WARN_ON(ns != current_user_ns()))
+ return error;
error = simple_fill_super(sb, SECURITYFS_MAGIC, files);
if (error)
Oops, I hadn't seen this patch. How can one 'mount from outside the
filesystem's userns'?