Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
Pull user-namespace fix from Eric Biederman:
"Eric Windish recently reported a really bug that allows mounting fresh
copies of proc and sysfs when it really should not be allowed. The
code attempted to verify that proc and sysfs were fully visible but
there is a test missing to ensure that the root of the filesystem is
visible. Doh!
The following patch fixes that.
This fixes a containment issue that the docker folks are seeing"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
mnt: Fix fs_fully_visible to verify the root directory is visible
+6
+6
fs/namespace.c
+6
fs/namespace.c
···
3179
3179
if (mnt->mnt.mnt_sb->s_type != type)
3180
3180
continue;
3181
3181
3182
+
/* This mount is not fully visible if it's root directory
3183
+
* is not the root directory of the filesystem.
3184
+
*/
3185
+
if (mnt->mnt.mnt_root != mnt->mnt.mnt_sb->s_root)
3186
+
continue;
3187
+
3182
3188
/* This mount is not fully visible if there are any child mounts
3183
3189
* that cover anything except for empty directories.
3184
3190
*/