Quoting Glauber Costa (glommer@xxxxxxxxxxxxx): > On 03/15/2013 06:37 PM, Serge Hallyn wrote: > > Quoting Glauber Costa (glommer@xxxxxxxxxxxxx): > >> Since we have strict control on who access the devices, it should be > >> no problem to allow the device to appear. > >> > >> Signed-off-by: Glauber Costa <glommer@xxxxxxxxxxxxx> > >> Cc: Aristeu Rozanski <aris@xxxxxxxxxx> > >> Cc: Eric Biederman <ebiederm@xxxxxxxxxxxx> > >> Cc: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx> > >> --- > >> fs/namei.c | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/fs/namei.c b/fs/namei.c > >> index 8a34d79..d0b4549 100644 > >> --- a/fs/namei.c > >> +++ b/fs/namei.c > >> @@ -3126,7 +3126,7 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) > >> if (error) > >> return error; > >> > >> - if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD)) > >> + if ((S_ISCHR(mode) || S_ISBLK(mode)) && !nsown_capable(CAP_MKNOD)) > > > > I realize you're arguing that devicens is enough, but how about > > doing inode_capable(dir, CAP_MKNOD) instead? > > > I see no reason not to do it. Cool, with that Acked-by: Serge E. Hallyn <serge.hallyn@xxxxxxxxxx> thanks. -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
