Re: [PATCH 2/2] acct: block access to kernel internal filesystems

From: Al Viro
Date: Tue Feb 11 2025 - 15:54:40 EST

Next message: Tejun Heo: "Re: [PATCH] mm, percpu: do not consider sleepable allocations atomic"
Previous message: Kaplan, David: "RE: [PATCH v3 21/35] x86/bugs: Determine relevant vulnerabilities based on attack vector controls."
In reply to: Amir Goldstein: "Re: [PATCH 2/2] acct: block access to kernel internal filesystems"
Next in thread: Christian Brauner: "Re: [PATCH 2/2] acct: block access to kernel internal filesystems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Feb 11, 2025 at 06:16:00PM +0100, Christian Brauner wrote:
> There's no point in allowing anything kernel internal nor procfs or
> sysfs.

> + /* Exclude kernel kernel internal filesystems. */
> + if (file_inode(file)->i_sb->s_flags & (SB_NOUSER | SB_KERNMOUNT)) {
> + kfree(acct);
> + filp_close(file, NULL);
> + return -EINVAL;
> + }
> +
> + /* Exclude procfs and sysfs. */
> + if (file_inode(file)->i_sb->s_iflags & SB_I_USERNS_VISIBLE) {
> + kfree(acct);
> + filp_close(file, NULL);
> + return -EINVAL;
> + }

That looks like a really weird way to test it, especially the second
part...

Next message: Tejun Heo: "Re: [PATCH] mm, percpu: do not consider sleepable allocations atomic"
Previous message: Kaplan, David: "RE: [PATCH v3 21/35] x86/bugs: Determine relevant vulnerabilities based on attack vector controls."
In reply to: Amir Goldstein: "Re: [PATCH 2/2] acct: block access to kernel internal filesystems"
Next in thread: Christian Brauner: "Re: [PATCH 2/2] acct: block access to kernel internal filesystems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]