On 03/15/2013 06:37 PM, Serge Hallyn wrote: > Quoting Glauber Costa (glommer@xxxxxxxxxxxxx): >> Since we have strict control on who access the devices, it should be >> no problem to allow the device to appear. >> >> Signed-off-by: Glauber Costa <glommer@xxxxxxxxxxxxx> >> Cc: Aristeu Rozanski <aris@xxxxxxxxxx> >> Cc: Eric Biederman <ebiederm@xxxxxxxxxxxx> >> Cc: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx> >> --- >> fs/namei.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/fs/namei.c b/fs/namei.c >> index 8a34d79..d0b4549 100644 >> --- a/fs/namei.c >> +++ b/fs/namei.c >> @@ -3126,7 +3126,7 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) >> if (error) >> return error; >> >> - if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD)) >> + if ((S_ISCHR(mode) || S_ISBLK(mode)) && !nsown_capable(CAP_MKNOD)) > > I realize you're arguing that devicens is enough, but how about > doing inode_capable(dir, CAP_MKNOD) instead? > I see no reason not to do it. _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
