Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp2946976imm;
        Thu, 24 May 2018 19:39:40 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZqPj85G2W4Ew/SN6ee/sYuegwyqejHE1NL6jZNzKDxhIuE2ch+RyOX3WQSNJx2bzRRv/oUc
X-Received: by 2002:a62:c858:: with SMTP id z85-v6mr573474pff.81.1527215980886;
        Thu, 24 May 2018 19:39:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527215980; cv=none;
        d=google.com; s=arc-20160816;
        b=OlXe8ASJmvF97wBNU5AAHWEUHhGNIUGLSE1+wJm99zsW4/kMxJp29ngp0DB16zL1EG
         Bz60jfr5/bRAmQ6rUQxFudA0rqw7pMXLoFYB1SsKxxs80X7CqqV4hutBb2X1U0EhUSnh
         WRtx2ldNh9h7XdjMSnMQQRpFFLdL7kNMlczuytbrPTka16jR5NS+Hlsq3nDWOPDo1ZUM
         Fnw9ni+dq2xIzYAwv2prM9oJlJcyIga6ukDCDlJdLiYk6K4keTFLlve4W62cwh98jSgD
         F2nI36kxMCc93xrN/PQksHKIu6TOpZ3qjeaaTfY3206NnldvLqB/bKE00BGnnZ52hQ+8
         ex6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :arc-authentication-results;
        bh=M7eaDq0MpUV18zkOV+X6EhEHWoGVOHFro5XahJUKuH4=;
        b=otNTm0nHIjQCNGGdRpgACayn644fLA1EuSCArBwhIviqaWn/ggAxRpQGBwCVepVfGS
         DVA1uE1hTU5AWaQ2Uxtwd8ILMRRSJcyE/kUKiVAYAQM+Pe1tuhBKBZ5EMf2ML69KAL4i
         RjWFB5j1d6u8p7PXAn6TrPJgXDLEusczobhfLV1EWUD+hlof0YuJMj2n4h6HztKugK4c
         Dh/w+fQebZB6HOYNUK1g+yLoccoA1PHEkAXBIKEq641zikeKKjMW/yHuCZZ36KFatlnW
         f1ZU9nngosDA+IWfv35OHdMKjisVhfzcqCCTovRe/ztrcmtCbqy2EKTs30W5ecvt+OjO
         7mVA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k18-v6si22566980pfe.13.2018.05.24.19.39.26;
        Thu, 24 May 2018 19:39:40 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1034497AbeEXTMj (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Thu, 24 May 2018 15:12:39 -0400
Received: from mx2.mailbox.org ([80.241.60.215]:39160 "EHLO mx2.mailbox.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1034448AbeEXTMh (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 24 May 2018 15:12:37 -0400
Received: from smtp2.mailbox.org (smtp2.mailbox.org [80.241.60.241])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mx2.mailbox.org (Postfix) with ESMTPS id 79D5641B4F;
        Thu, 24 May 2018 21:12:35 +0200 (CEST)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Received: from smtp2.mailbox.org ([80.241.60.241])
        by hefe.heinlein-support.de (hefe.heinlein-support.de [91.198.250.172]) (amavisd-new, port 10030)
        with ESMTP id fwd-SxbTeI34; Thu, 24 May 2018 21:12:34 +0200 (CEST)
Date:   Thu, 24 May 2018 21:12:32 +0200
From:   Christian Brauner <christian@brauner.io>
To:     "Eric W. Biederman" <ebiederm@xmission.com>
Cc:     Linux Containers <containers@lists.linux-foundation.org>,
        linux-fsdevel@vger.kernel.org,
        Seth Forshee <seth.forshee@canonical.com>,
        "Serge E. Hallyn" <serge@hallyn.com>, linux-kernel@vger.kernel.org
Subject: Re: [REVIEW][PATCH 2/6] vfs: Allow userns root to call mknod on
 owned filesystems.
Message-ID: <20180524191232.GA7573@mailbox.org>
References: <87o9h6554f.fsf@xmission.com>
 <20180523232538.4880-2-ebiederm@xmission.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20180523232538.4880-2-ebiederm@xmission.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, May 23, 2018 at 06:25:34PM -0500, Eric W. Biederman wrote:
> These filesystems already always set SB_I_NODEV so mknod will not be
> useful for gaining control of any devices no matter their permissions.
> This will allow overlayfs and applications to fakeroot to use device
> nodes to represent things on disk.

Excellent.

Acked-by: Christian Brauner <christian@brauner.io>

> 
> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
> ---
>  fs/namei.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/namei.c b/fs/namei.c
> index 942c1f096f6b..20335896dcce 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -3679,7 +3679,8 @@ int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
>  	if (error)
>  		return error;
>  
> -	if ((S_ISCHR(mode) || S_ISBLK(mode)) && !capable(CAP_MKNOD))
> +	if ((S_ISCHR(mode) || S_ISBLK(mode)) &&
> +	    !ns_capable(dentry->d_sb->s_user_ns, CAP_MKNOD))
>  		return -EPERM;
>  
>  	if (!dir->i_op->mknod)
> -- 
> 2.14.1
>