nsfs: tighten permission checks for ns iteration ioctls

Even privileged services should not necessarily be able to see other privileged service's namespaces so they can't leak information to each other. Use may_see_all_namespaces() helper that centralizes this policy until the nstree adapts. Link: https://patch.msgid.link/20260226-work-visibility-fixes-v1-1-d2c2853313bd@kernel.org Fixes: a1d220d9dafa ("nsfs: iterate through mount namespaces") Reviewed-by: Jeff Layton <jlayton@kernel.org> Cc: stable@kernel.org # v6.12+ Signed-off-by: Christian Brauner <brauner@kernel.org>
author: Christian Brauner <brauner@kernel.org> 2026-02-26 14:50:09 +0100
committer: Christian Brauner <brauner@kernel.org> 2026-02-27 22:00:08 +0100
commit: e6b899f08066e744f89df16ceb782e06868bd148 (patch)
tree: fe5fbdafe96c1c39aabef7e65eae4d210a79e8d7 /kernel
parent: a0b4c7a49137ed21279f354eb59f49ddae8dffc2 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/kernel/nscommon.c b/kernel/nscommon.c
index bdc3c86231d3..3166c1fd844a 100644
--- a/kernel/nscommon.c
+++ b/kernel/nscommon.c
@@ -309,3 +309,9 @@ void __ns_ref_active_get(struct ns_common *ns)
 			return;
 	}
 }
+
+bool may_see_all_namespaces(void)
+{
+	return (task_active_pid_ns(current) == &init_pid_ns) &&
+	       ns_capable_noaudit(init_pid_ns.user_ns, CAP_SYS_ADMIN);
+}
author	Christian Brauner <brauner@kernel.org>	2026-02-26 14:50:09 +0100
committer	Christian Brauner <brauner@kernel.org>	2026-02-27 22:00:08 +0100
commit	e6b899f08066e744f89df16ceb782e06868bd148 (patch)
tree	fe5fbdafe96c1c39aabef7e65eae4d210a79e8d7 /kernel
parent	a0b4c7a49137ed21279f354eb59f49ddae8dffc2 (diff)