tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

nsfs: tighten permission checks for ns iteration ioctls

Even privileged services should not necessarily be able to see other
privileged service's namespaces so they can't leak information to each
other. Use may_see_all_namespaces() helper that centralizes this policy
until the nstree adapts.

Link: https://patch.msgid.link/20260226-work-visibility-fixes-v1-1-d2c2853313bd@kernel.org
Fixes: a1d220d9dafa ("nsfs: iterate through mount namespaces")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Cc: stable@kernel.org # v6.12+
Signed-off-by: Christian Brauner <brauner@kernel.org>

Christian Brauner e6b899f0 a0b4c7a4

+21
+13
fs/nsfs.c
··· 199 199 return false; 200 200 } 201 201 202 + static bool may_use_nsfs_ioctl(unsigned int cmd) 203 + { 204 + switch (_IOC_NR(cmd)) { 205 + case _IOC_NR(NS_MNT_GET_NEXT): 206 + fallthrough; 207 + case _IOC_NR(NS_MNT_GET_PREV): 208 + return may_see_all_namespaces(); 209 + } 210 + return true; 211 + } 212 + 202 213 static long ns_ioctl(struct file *filp, unsigned int ioctl, 203 214 unsigned long arg) 204 215 { ··· 225 214 226 215 if (!nsfs_ioctl_valid(ioctl)) 227 216 return -ENOIOCTLCMD; 217 + if (!may_use_nsfs_ioctl(ioctl)) 218 + return -EPERM; 228 219 229 220 ns = get_proc_ns(file_inode(filp)); 230 221 switch (ioctl) {
+2
include/linux/ns_common.h
··· 55 55 56 56 #define ns_common_free(__ns) __ns_common_free(to_ns_common((__ns))) 57 57 58 + bool may_see_all_namespaces(void); 59 + 58 60 static __always_inline __must_check int __ns_ref_active_read(const struct ns_common *ns) 59 61 { 60 62 return atomic_read(&ns->__ns_ref_active);
+6
kernel/nscommon.c
··· 309 309 return; 310 310 } 311 311 } 312 + 313 + bool may_see_all_namespaces(void) 314 + { 315 + return (task_active_pid_ns(current) == &init_pid_ns) && 316 + ns_capable_noaudit(init_pid_ns.user_ns, CAP_SYS_ADMIN); 317 + }