Commit 667b4102 authored Sep 23, 2013 by Eric W. Biederman Committed by Greg Kroah-Hartman Sep 26, 2013

sysfs: Allow mounting without CONFIG_NET



In kobj_ns_current_may_mount the default should be to allow the
mount.  The test is only for a single kobj_ns_type at a time, and unless
there is a reason to prevent it the mounting sysfs should be allowed.
Subsystems that are not registered can't have are not involved so can't
have a reason to prevent mounting sysfs.

This is a bug-fix to:
    commit 7dc5dbc8
    Author: Eric W. Biederman <ebiederm@xmission.com>
    Date:   Mon Mar 25 20:07:01 2013 -0700

        sysfs: Restrict mounting sysfs

        Don't allow mounting sysfs unless the caller has CAP_SYS_ADMIN rights
        over the net namespace.  The principle here is if you create or have
        capabilities over it you can mount it, otherwise you get to live with
        what other people have mounted.

        Instead of testing this with a straight forward ns_capable call,
        perform this check the long and torturous way with kobject helpers,
        this keeps direct knowledge of namespaces out of sysfs, and preserves
        the existing sysfs abstractions.

        Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
        Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

That came in via the userns tree during the 3.12 merge window.

Reported-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 4a10c2ac

lib/kobject.c

+1 −4

Original line number	Diff line number	Diff line
		@@ -933,10 +933,7 @@ const struct kobj_ns_type_operations kobj_ns_ops(struct kobject kobj)

		bool kobj_ns_current_may_mount(enum kobj_ns_type type)
		{
		bool may_mount = false;

		if (type == KOBJ_NS_TYPE_NONE)
		return true;
		bool may_mount = true;

		spin_lock(&kobj_ns_type_lock);
		if ((type > KOBJ_NS_TYPE_NONE) && (type < KOBJ_NS_TYPES) &&

Admin message