projects / linux-2.6-block.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
userns: Don't allow creation if the user is chrooted
[linux-2.6-block.git] / kernel / user_namespace.c
diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
index b14f4d3420439ca629be08494ef417e734513499..0f1e42884577c93b891a7da6aa149733ba2d5141 100644 (file)
--- a/kernel/user_namespace.c
+++ b/kernel/user_namespace.c
@@ -61,6 +61,15 @@ int create_user_ns(struct cred *new)
        kgid_t group = new->egid;
        int ret;
 
+       /*
+        * Verify that we can not violate the policy of which files
+        * may be accessed that is specified by the root directory,
+        * by verifing that the root directory is at the root of the
+        * mount namespace which allows all files to be accessed.
+        */
+       if (current_chrooted())
+               return -EPERM;
+
        /* The creator needs a mapping in the parent user namespace
         * or else we won't be able to reasonably tell userspace who
         * created a user_namespace.
Linux 6.x block layer and io_uring tree(s)