archives/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-03-08 01:04:41 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

nsfs: tighten permission checks for ns iteration ioctls

Browse source 
Even privileged services should not necessarily be able to see other
privileged service's namespaces so they can't leak information to each
other. Use may_see_all_namespaces() helper that centralizes this policy
until the nstree adapts.

Link: https://patch.msgid.link/20260226-work-visibility-fixes-v1-1-d2c2853313bd@kernel.org
Fixes: a1d220d9da ("nsfs: iterate through mount namespaces")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Cc: stable@kernel.org # v6.12+
Signed-off-by: Christian Brauner <brauner@kernel.org>
This commit is contained in:
Christian Brauner 2026-02-26 14:50:09 +01:00
parent a0b4c7a491
commit e6b899f080
No known key found for this signature in database
GPG key ID: 91C61BC06578DCA2
3 changed files with 21 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
kernel/nscommon.c
View file

@ -309,3 +309,9 @@ void __ns_ref_active_get(struct ns_common *ns)
return;
}
}
bool may_see_all_namespaces(void)
{
return (task_active_pid_ns(current) == &init_pid_ns) &&
ns_capable_noaudit(init_pid_ns.user_ns, CAP_SYS_ADMIN);
}