Re: [PATCH] fuse: allow CAP_SYS_ADMIN in root userns to access allow_other mount

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2021-11-11 at 14:11 -0800, Dave Marchevsky wrote:
> 
> This patch adds an escape hatch to the descendant userns logic
> specifically for processes with CAP_SYS_ADMIN in the root userns.
> Such
> processes can already do many dangerous things regardless of
> namespace,
> and moreover could fork and setns into any child userns with a FUSE
> mount, so it's reasonable to allow them to interact with all
> allow_other
> FUSE filesystems.
> 
> Signed-off-by: Dave Marchevsky <davemarchevsky@xxxxxx>
> Cc: Miklos Szeredi <miklos@xxxxxxxxxx>
> Cc: Seth Forshee <sforshee@xxxxxxxxxxxxxxxx>
> Cc: Rik van Riel <riel@xxxxxxxxxxx>
> Cc: kernel-team@xxxxxx

This will also want a:

Fixes: 73f03c2b4b52 ("fuse: Restrict allow_other to the superblock's
namespace or a descendant")
Cc: stable@xxxxxxxxxx

The patch itself looks good to my untrained eye, but could
probably use some attention from somebody who really understands
the VFS :)

-- 
All Rights Reversed.

Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux