On Wed, May 23, 2018 at 06:25:34PM -0500, Eric W. Biederman wrote: > These filesystems already always set SB_I_NODEV so mknod will not be > useful for gaining control of any devices no matter their permissions. > This will allow overlayfs and applications to fakeroot to use device > nodes to represent things on disk. Excellent. Acked-by: Christian Brauner <christian@xxxxxxxxxx> > > Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> > --- > fs/namei.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/namei.c b/fs/namei.c > index 942c1f096f6b..20335896dcce 100644 > --- a/fs/namei.c > +++ b/fs/namei.c > @@ -3679,7 +3679,8 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) > if (error) > return error; > > - if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD)) > + if ((S_ISCHR(mode) || S_ISBLK(mode)) && > + !ns_capable(dentry->d_sb->s_user_ns, CAP_MKNOD)) > return -EPERM; > > if (!dir->i_op->mknod) > -- > 2.14.1 >
