pidfs: raise SB_I_NODEV and SB_I_NOEXEC

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Similar to commit 1ed95281c0c7 ("anon_inode: raise SB_I_NODEV and SB_I_NOEXEC"):
it shouldn't be possible to execute pidfds via
execveat(fd_anon_inode, "", NULL, NULL, AT_EMPTY_PATH)
so raise SB_I_NOEXEC so that no one gets any creative ideas.

Also raise SB_I_NODEV as we don't expect or support any devices on pidfs.

Link: https://lore.kernel.org/20250618-work-pidfs-persistent-v2-1-98f3456fd552@kernel.org
Reviewed-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>

Christian Brauner 1 year ago 1a1ad73a 19272b37

1 changed file

expand all

pidfs.c

fs/pidfs.c

··· 891 891 if (!ctx) 892 892 return -ENOMEM; 893 893 894 + fc->s_iflags |= SB_I_NOEXEC; 895 + fc->s_iflags |= SB_I_NODEV; 894 896 ctx->ops = &pidfs_sops; 895 897 ctx->eops = &pidfs_export_operations; 896 898 ctx->dops = &pidfs_dentry_operations;

Configure Feed

Configure Feed