Commit 975d6b39 authored by Eric W. Biederman's avatar Eric W. Biederman
Browse files

vfs: Don't allow a user namespace root to make device nodes 



Safely making device nodes in a container is solvable but simply
having the capability in a user namespace is not sufficient to make
this work.

Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
parent dd775ae2

fs/namei.c

+1 −2
Original line number Diff line number Diff line
@@ -2560,8 +2560,7 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 
	if (error)

		return error;



	if ((S_ISCHR(mode) || S_ISBLK(mode)) &&

	    !ns_capable(inode_userns(dir), CAP_MKNOD))

	if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD))

		return -EPERM;



	if (!dir->i_op->mknod)

CRA Git | Maintained and supported by SUSTech CRA and CCSE