On Wed, May 23, 2018 at 06:25:34PM -0500, Eric W. Biederman wrote: > These filesystems already always set SB_I_NODEV so mknod will not be > useful for gaining control of any devices no matter their permissions. > This will allow overlayfs and applications to fakeroot to use device > nodes to represent things on disk. > > Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> For a normal filesystem this does seem safe enough. However, I'd also like to see us allow unprivileged mounting for overlayfs, and there we need to worry about whether this would allow a mknod in an underlying filesystem which should not be allowed. That mknod will be subject to this same check in the underlying filesystem using the credentials of the user that mounted the overaly fs, which should be sufficient to ensure that the mknod is permitted. Thus this looks okay to me. Acked-by: Seth Forshee <seth.forshee@xxxxxxxxxxxxx>