On Tue, Jul 21, 2020 at 06:28:10PM +0200, Christoph Hellwig wrote:
> +int __init init_chroot(const char *filename)
> +{
> + struct path path;
> + int error;
> +
> + error = kern_path(filename, LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &path);
> + if (error)
> + return error;
> + error = inode_permission(path.dentry->d_inode, MAY_EXEC | MAY_CHDIR);
Matter of taste, but if we do that, I wonder if we would be better off with
error = inode_permission(path.dentry->d_inode, MAY_EXEC | MAY_CHDIR);
if (!error && !ns_capable(current_user_ns(), CAP_SYS_CHROOT))
error = -EPERM;
if (!error)
error = security_path_chroot(&path);
if (!error)
set_fs_root(current->fs, &path);
path_put(&path);
return error;
