On Thu, 2021-11-11 at 14:11 -0800, Dave Marchevsky wrote: > > This patch adds an escape hatch to the descendant userns logic > specifically for processes with CAP_SYS_ADMIN in the root userns. > Such > processes can already do many dangerous things regardless of > namespace, > and moreover could fork and setns into any child userns with a FUSE > mount, so it's reasonable to allow them to interact with all > allow_other > FUSE filesystems. > > Signed-off-by: Dave Marchevsky <davemarchevsky@xxxxxx> > Cc: Miklos Szeredi <miklos@xxxxxxxxxx> > Cc: Seth Forshee <sforshee@xxxxxxxxxxxxxxxx> > Cc: Rik van Riel <riel@xxxxxxxxxxx> > Cc: kernel-team@xxxxxx This will also want a: Fixes: 73f03c2b4b52 ("fuse: Restrict allow_other to the superblock's namespace or a descendant") Cc: stable@xxxxxxxxxx The patch itself looks good to my untrained eye, but could probably use some attention from somebody who really understands the VFS :) -- All Rights Reversed.
Attachment:
signature.asc
Description: This is a digitally signed message part