From: Serge Hallyn <serue at us.ibm.com> Subject: [RFC] [PATCH 2/3] user ns: hook permission Hook permission to check vfsmnt->user_ns against current. Signed-off-by: Serge E. Hallyn <serue at us.ibm.com> --- fs/namei.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index dc4ff80..edf7c16 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -246,6 +246,8 @@ int permission(struct inode *inode, int return -EACCES; } + if (nd && !task_mnt_same_uid(current, nd->mnt)) + return -EACCES; /* * MAY_EXEC on regular files requires special handling: We override @@ -433,6 +435,8 @@ static int exec_permission_lite(struct i { umode_t mode = inode->i_mode; + if (!task_mnt_same_uid(current, nd->mnt)) + return -EACCES; if (inode->i_op && inode->i_op->permission) return -EAGAIN; -- 1.4.1