summaryrefslogtreecommitdiff
path: root/fs
diff options
context:
space:
mode:
authorEric W. Biederman <ebiederm@xmission.com>2013-03-25 19:57:10 -0700
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2013-09-26 17:21:57 -0700
commit43be3c13b8d9cd9c3b9820baff6b6e108d00aeb5 (patch)
tree3929470d1b6e2e1d419e4f73b7af8e526c0f5312 /fs
parentedf125ced1bf525546c22ad3fd7cf8a6d6cd3339 (diff)
proc: Restrict mounting the proc filesystem
commit aee1c13dd0f6c2fc56e0e492b349ee8ac655880f upstream. Don't allow mounting the proc filesystem unless the caller has CAP_SYS_ADMIN rights over the pid namespace. The principle here is if you create or have capabilities over it you can mount it, otherwise you get to live with what other people have mounted. Andy pointed out that this is needed to prevent users in a user namespace from remounting proc and specifying different hidepid and gid options on already existing proc mounts. Reported-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs')
-rw-r--r--fs/proc/root.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/proc/root.c b/fs/proc/root.c
index e0a790da726d..0e0e83c4df49 100644
--- a/fs/proc/root.c
+++ b/fs/proc/root.c
@@ -110,7 +110,8 @@ static struct dentry *proc_mount(struct file_system_type *fs_type,
ns = task_active_pid_ns(current);
options = data;
- if (!current_user_ns()->may_mount_proc)
+ if (!current_user_ns()->may_mount_proc ||
+ !ns_capable(ns->user_ns, CAP_SYS_ADMIN))
return ERR_PTR(-EPERM);
}