Commit 51dfcb076d1e1ce7006aa272cb7c4514740c7e47
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
Pull user-namespace fix from Eric Biederman: "Eric Windish recently reported a really bug that allows mounting fresh copies of proc and sysfs when it really should not be allowed. The code attempted to verify that proc and sysfs were fully visible but there is a test missing to ensure that the root of the filesystem is visible. Doh! The following patch fixes that. This fixes a containment issue that the docker folks are seeing" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: mnt: Fix fs_fully_visible to verify the root directory is visible
Showing 1 changed file Side-by-side Diff
fs/namespace.c
| ... | ... | @@ -3179,6 +3179,12 @@ |
| 3179 | 3179 | if (mnt->mnt.mnt_sb->s_type != type) |
| 3180 | 3180 | continue; |
| 3181 | 3181 | |
| 3182 | + /* This mount is not fully visible if it's root directory | |
| 3183 | + * is not the root directory of the filesystem. | |
| 3184 | + */ | |
| 3185 | + if (mnt->mnt.mnt_root != mnt->mnt.mnt_sb->s_root) | |
| 3186 | + continue; | |
| 3187 | + | |
| 3182 | 3188 | /* This mount is not fully visible if there are any child mounts |
| 3183 | 3189 | * that cover anything except for empty directories. |
| 3184 | 3190 | */ |