Programs have been known to test for empty directories by attempting to remove them. To keep from violating the principle of least surprise don't let directories the caller can see with someting mounted on them be deleted. With a little luck this may prevent commands stupid commands like rm -rf from eating your system. Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> --- fs/namei.c | 21 +++++++++++++++++++++ 1 files changed, 21 insertions(+), 0 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index b18b017c946b..b9cae480ac27 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -3547,6 +3547,20 @@ void dentry_unhash(struct dentry *dentry) spin_unlock(&dentry->d_lock); } +static bool covered(struct vfsmount *mnt, struct dentry *dentry) +{ + /* test to see if a dentry is covered with a mount in + * the current mount namespace. + */ + bool is_covered; + + rcu_read_lock(); + is_covered = d_mountpoint(dentry) && __lookup_mnt(mnt, dentry, 1); + rcu_read_unlock(); + + return is_covered; +} + int vfs_rmdir(struct inode *dir, struct dentry *dentry) { int error = may_delete(dir, dentry, 1); @@ -3619,6 +3633,9 @@ retry: error = -ENOENT; goto exit3; } + error = -EBUSY; + if (covered(nd.path.mnt, dentry)) + goto exit3; error = security_path_rmdir(&nd.path, dentry); if (error) goto exit3; @@ -4155,6 +4172,10 @@ retry: error = -ENOTEMPTY; if (new_dentry == trap) goto exit5; + error = -EBUSY; + if (new_dentry->d_inode && S_ISDIR(new_dentry->d_inode->i_mode) && + covered(newnd.path.mnt, new_dentry)) + goto exit5; error = security_path_rename(&oldnd.path, old_dentry, &newnd.path, new_dentry); -- 1.7.5.4 -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html