tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

nsfs: tighten permission checks for handle opening

Even privileged services should not necessarily be able to see other
privileged service's namespaces so they can't leak information to each
other. Use may_see_all_namespaces() helper that centralizes this policy
until the nstree adapts.

Link: https://patch.msgid.link/20260226-work-visibility-fixes-v1-2-d2c2853313bd@kernel.org
Fixes: 5222470b2fbb ("nsfs: support file handles")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Cc: stable@kernel.org # v6.18+
Signed-off-by: Christian Brauner <brauner@kernel.org>

Christian Brauner d2324a93 e6b899f0

+1 -1
+1 -1
fs/nsfs.c
··· 627 627 return ERR_PTR(-EOPNOTSUPP); 628 628 } 629 629 630 - if (owning_ns && !ns_capable(owning_ns, CAP_SYS_ADMIN)) { 630 + if (owning_ns && !may_see_all_namespaces()) { 631 631 ns->ops->put(ns); 632 632 return ERR_PTR(-EPERM); 633 633 }