| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 4 Dec 2015 13:02:57 -0600 From: "Serge E. Hallyn" <serge@...lyn.com> To: Seth Forshee <seth.forshee@...onical.com> Cc: "Eric W. Biederman" <ebiederm@...ssion.com>, Alexander Viro <viro@...iv.linux.org.uk>, Serge Hallyn <serge.hallyn@...onical.com>, Richard Weinberger <richard.weinberger@...il.com>, Austin S Hemmelgarn <ahferroin7@...il.com>, Miklos Szeredi <miklos@...redi.hu>, linux-bcache@...r.kernel.org, dm-devel@...hat.com, linux-raid@...r.kernel.org, linux-kernel@...r.kernel.org, linux-mtd@...ts.infradead.org, linux-fsdevel@...r.kernel.org, fuse-devel@...ts.sourceforge.net, linux-security-module@...r.kernel.org, selinux@...ho.nsa.gov Subject: Re: [PATCH 13/19] fs: Allow superblock owner to access do_remount_sb() Quoting Seth Forshee (seth.forshee@...onical.com): > Superblock level remounts are currently restricted to global > CAP_SYS_ADMIN, as is the path for changing the root mount to > read only on umount. Loosen both of these permission checks to > also allow CAP_SYS_ADMIN in any namespace which is privileged > towards the userns which originally mounted the filesystem. > > Signed-off-by: Seth Forshee <seth.forshee@...onical.com> > Acked-by: "Eric W. Biederman" <ebiederm@...ssion.com> > --- Acked-by: Serge Hallyn <serge.hallyn@...onical.com> > fs/namespace.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/fs/namespace.c b/fs/namespace.c > index 18fc58760aec..b00a765895e7 100644 > --- a/fs/namespace.c > +++ b/fs/namespace.c > @@ -1510,7 +1510,7 @@ static int do_umount(struct mount *mnt, int flags) > * Special case for "unmounting" root ... > * we just try to remount it readonly. > */ > - if (!capable(CAP_SYS_ADMIN)) > + if (!ns_capable(sb->s_user_ns, CAP_SYS_ADMIN)) > return -EPERM; > down_write(&sb->s_umount); > if (!(sb->s_flags & MS_RDONLY)) > @@ -2199,7 +2199,7 @@ static int do_remount(struct path *path, int flags, int mnt_flags, > down_write(&sb->s_umount); > if (flags & MS_BIND) > err = change_mount_flags(path->mnt, flags); > - else if (!capable(CAP_SYS_ADMIN)) > + else if (!ns_capable(sb->s_user_ns, CAP_SYS_ADMIN)) > err = -EPERM; > else > err = do_remount_sb(sb, flags, data, 0); > -- > 1.9.1 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists