Quoting Glauber Costa (glommer@xxxxxxxxxxxxx): > Since we have strict control on who access the devices, it should be > no problem to allow the device to appear. > > Signed-off-by: Glauber Costa <glommer@xxxxxxxxxxxxx> > Cc: Aristeu Rozanski <aris@xxxxxxxxxx> > Cc: Eric Biederman <ebiederm@xxxxxxxxxxxx> > Cc: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx> > --- > fs/namei.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/namei.c b/fs/namei.c > index 8a34d79..d0b4549 100644 > --- a/fs/namei.c > +++ b/fs/namei.c > @@ -3126,7 +3126,7 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) > if (error) > return error; > > - if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD)) > + if ((S_ISCHR(mode) || S_ISBLK(mode)) && !nsown_capable(CAP_MKNOD)) I realize you're arguing that devicens is enough, but how about doing inode_capable(dir, CAP_MKNOD) instead? > return -EPERM; > > if (!dir->i_op->mknod) > -- > 1.8.1.2 > _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
