Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38;
IronPort-PHdr: A9a23:z5bbSR8KWx2Npf9uWXO9ngc9DxPPxp3qa1dGopNykalHN7+j9s6/Y
 h+X7qB3gVvATYjXrOhJj+PGvqyzPA5I7cOPqnkfdpxLWRIfz8IQmg0rGsmeDkPnavXtan9yB
 5FZWVto9G28KxIQFtz3elvSpXO/93sVHBD+PhByPeP7BsvZiMHksoL6+8j9eQJN1ha0fb4gF
 wi8rwjaqpszjJB5I6k8jzrl8FBPffhbw38tGUOLkkTZx+KduaBu6T9RvPRzx4tlauDXb684R
 LpXAXEdPmY56dfCmTLDQACMtR5+Gm8WxzZPKQHByC7eZr2vnzu9jsF7n3G+EvL4f/cbfAyi7
 IZ0WjXMrD8cGn0pwECC2akSxKgOhyKI+0RT/ZaJXIKpNb1FQoT8TdZCXXptcfRcVClPDpOZN
 ZoCU9oQesgDsq2trncNpgSxKgb3JszvzwVioy/p87wR1tolGEbe3zc4DvkKunfSncWuZb8vQ
 /qb/bfzzB7aaNh72mblz9nvdQgz/fSBZI9OUOOK6kwEST3Zggm2p4fdeBWLj+oJimi23rs4b
 ser0UQ3tTB1hCmUls4Pm472pbs6lUnG3g9Sm6gEcI7wWAt6e9miCJxKq2SAOpBrRt93W2hzo
 3VSItwuvJe6eG0HxJsqxBeFNLqJaYGV5BLkWuuLZzt11zppe7O60g676lPoivb9Wc+9zEtQo
 2Jbn8PNuHEA212b6sWORvZnuEb08TiV3h3V6uZKLFpykqzeKpU7xaU3mIZVukPGdhI=
IronPort-SDR: 6538e32e_j66fqEKm0PJE88y0HQlU39rkjzJ4/UyWhB1Plu45Tg+nE2z
 xSTxrN96tLjfq0JZlBu8iwr4WcW38MdujSt5xJg==
IronPort-PHdr: A9a23:jwvf0BcPoGpij1yC0tdIxGHZlGM+/N/LVj580XJao6wbK/fr9sH4J
 0Wa/vVk1gKXDs3QvuhJj+PGvqynQ2EE6IaMvCNnEtRAAhEfgNgQnwsuDdTDDkv+LfXwaDc9E
 tgEX1hgrDmgZFNYHMv1e1rI+Di89zcPHBX4OwdvY+PzH4/ZlcOs0O6uvpbUZlYt5nK9NJ1oK
 xDkgQzNu5stnIFgJ60tmD7EuWBBdOkT5E86DlWVgxv6+oKM7YZuoQFxnt9kycNaSqT9efYIC
 JljSRk2OGA84sLm8CLOSweC/FIweWUbmRkbZmqN5hGvcpDbuy/eic5F8ne3LYrOZrZzARCN0
 KlZDzDNsCcEFiEr2kXzktddz7JrgUfywn43ydvzUKjJbNZAZv7hfu8bAlF9eedhUnRZEq+TX
 YYMCuQNLcMCvoShl0pJg0CjIVmlKODk1TBniSTU8q0/6c4EQR7ozSclIdYH92zXl83kH6MYU
 uaE3PKZ1QjRdd1nxwz8w5HPWT0i8OmrDJV3adiNzEQWKj3kpw6zrKe7AS+ZisIDuFDcyfQ5W
 +aWi0MW+llKhzz17Ncyu43vl7lFw3PV8hpa+alqPN+TYmUgT+/xQ9NA8iCAMI1uRdk+Bntlo
 zs+1ugesIWgL0Diqbwizh/bLvmbequhuEylWvyYPDF4g3xoYvSzikX6/Uuhz7jkX9KvmBZRr
 yVDm8XRrH1FyRHJ68aGR/c8tkes0DqCzUbSv8lKO0kpk6rcJZM7hLk2k5sYq0PYGSHq3k7xi
 cer
IronPort-Data: A9a23:SAHpj66KcDwUI4vem0pfrwxRtL3DchMFZxGqfqrLsTDasY5as4F+v
 jAXDTqCOvzcZmDxeIt+b9++9UoFuJbcm4NmGVBrpSthZn8b8sCt6fZ1gavT04N+CuWZESqLO
 u1HMoGowPgcFyOa/FH3WlTYhSEU/bmSQbbhA/LzNCl0RAt1IA8skhsLd9QR2+aEuvDnRVvW0
 T/Oi5eHYgT8g2Qpajt8B5+r8XuDgtyi4Fv0gXRjPZinjHeG/1EJAZQWI72GLneQauG4ycbjG
 o4vZJnglo/o109F5uGNy94XQWVWKlLmBjViv1INM0SUbriukQRpukozHKJ0hU66EFxllfgpo
 DlGncTYpQvEosQglcxFOyS0HR2SMoVo9I/3en3vt/Ws7BGBazzi2/5JK28faNhwFuZfWQmi9
 NQDLSwVKB2TjOLwzqiyV+9sgcouNo/nMevzuFk5kGqfXKlgGM+SBfyQure03x9o7ixKNfPfb
 MoQZD4pcxnBeAZnM1YMBZl4kv2hm3//dDNVshSZqMLb5kCNnFAhjuO3aLI5fPSGeO4NpWyFr
 F7I4nnTJRsZNeG27WaspyfEaujn2HmTtJgpPLS8++5jhlGe3EQWCR0fUVqwsP//gUm7M/pVM
 UUJ/Cc0has/7kqmSp/6RRLQiHefojYfVsBWHul87xuCooLM6hudLnANUzoEbdshrsJwTjsvv
 neFltXoCDhHsbqaRHuH/LCE6zW/JUA9JGkOfy4FZQgI+d/upMc0lB2nZtNqCrK0iJvxECzYx
 zGMsTh4i7gN5eYQ0KO01VPKmTShot7OVAFdzhTXRUqr5EVyY4vNT46v6V6d4/9bMI+TQ1+Nl
 HcBksmaqusJCPmllzSWQeMCHJmq6uyDPTmahkRgd7E6+zqF9HmkcoRdpjp5IS9BMs8DfSLuS
 EDUvgxV6dlYO37CRa1wZ5m4I8cn167tEZLiTP+8RsNTb55tdQmv/Tppe0eU0mbx1kMrlMkXJ
 5aBdu6+AHAbF+JjzTyrV6Eay7Bt2yNW7WbSRpT81Dy8w7eEaXKUD7cYWHOHa+Ejs/iFpC3a9
 t9eM42BzBA3ePbzeCba2Y4aKVQbKz4wApWeg8ZPeMadLQd8XmIsEfncxfUmYYMNt6BUkPrYu
 3KwQElVzHLhinDdbwaHcHZubPXoR5kXhXY6OzE8eFiz13U9bIKH8qgSbd00cKMh+eglyuR7J
 8TpYO3ZX68KG2uComtMKMCn88p8cVKgwwyUNjejYD8xcoQmSwGhFsLYQzYDPRImV0KfncUkq
 qCm1gTVTIBFQAJnDc3Mb+mowU/3tn8Y8N+elWOWSjWKUBS9rNpZOGbqg+UpIsoBDxzGy3HIn
 0yVGBoU762F6YM87NCD1+jOopaLAtlOOBNQP1DayrKqagjc3G6omrFbXMiyIDvyaWLT+YeZX
 9tz8c3SCvM8sWxxg9JOKIozlaMazPnzloBe1TVhTSnqbUz0K7ZOIUum/Mhot49Nz49/vTqnB
 0eE//cDM7CJJvHgLk81ITAhT+Wc1MM7nivZwuQ1LX7bug523uujemdDMyacjBdyKONOD7ok5
 uM6qegq6wCboTg7AOas1yx72TyFES0dbv8BqJofPr7OtiMq7VNzObrnFS785cC0WeVma0UFD
 Gedu/vfuu562EHHTnsUEErN18p7gbAlmkhD7H0GFmSztuv1vN0F9zwPzm1vVSVQ9AtN7MxrM
 GsyN0FVG7SHzw01uOd9BVKTCyNzLzzH3Hfuymk5tnzTFGipcW3vEFcTG8iw+GIhzmYNWQQDo
 Z+5zj7+XCfIbfPB+HI4eXRYpszJSf1z8Qz/m/6bIfmVIqliYRTZr/+vQUEqtyrYBdgAgRybh
 Otyo8d1R67JFQ8RhKwZGYOq76s0TS7YFTZNXMNn3qMFIjzbcmuA3TOPdkODQeJWBvnw6UTjI
 ddfFsFOcBWf1Si1sTEQA5AXEYJ0hPIE4NkjeKvhAGw774uksTtitazP+hjEhGMER8tkleA/I
 Njzcw2uP3Oxh3wOvUPwt+hBZ3SFZOcbaD3G3Oya9PsDE7QBurpOdWAwyr6FgGWHAjB4/h67v
 BLxWIGO9rZMkb9TporLFrlPIy6WKtmpDeSBz12VguR0NNjKNZ/DihMRplzZJD9pBLo2Welst
 LGzodXyjVLkvrE3bjjjoKO/NZJ1vOe8YOkGFfjMDih+vTCDU8rS8Rc86ziGCZhWouh8uOijZ
 SWFMfWVS/BEdetZ9nNvbwpmLy08EIXyN6fpmjO8pa+DCz8byg32E+mk/n7IM0BeWDcDYaP8L
 grGqsee2M1Rg9VJNi8lGsNJPp5cC33gUJsAaNfem2S5DG6po1XaoZrkt0Mqxg/qA0m+MvTRw
 Mz6VDmnUzrqo4DO7tVSk7Iqjy0tFHwn3NUBJBMMyeB5mxWRLTAgL91EFb4kF5sNsCj59K+gV
 QH3dGF4VBnMB2VVQy7dvubmcByUXNEVG9HDITcswUOYRgG2CK6EA5pj7i1Q2Gh3SBSy0NCYL
 cwixVOoMiiT2p1JQcMh1s6/i8pjxdLYwSss0mL5mMrQHR0fIOsr0FpMIQlzbhHEQvr9zBjzG
 WsIRG56GRDxDQa7FMt7YHdaFS0IpD6lnX1icS6Lx82ZoImBivFJzPrkIezoz7kfd4IwKaUTQ
 W/sDX64i4xMNqf/ZYNy0z7xvZJJNA==
IronPort-HdrOrdr: A9a23:xZH4bK9yVjpisfWi52Zuk+HRdb1zdoMgy1knxilNoENuHfBwxv
 rDoB1E73LJYVYqOU3Jmbi7Sc29qBTnhOJICOgqTMqftWzd1ldAQ7sSi7cKrweQeREWs9Qtrp
 uIEJIOeeEYc2IK9PoSiTPQe71LoKjlzEnrv5al854Ed3AVV0gK1XYfNu/0KDwSeOEQbqBJa6
 Z1haJ81nidkSt9VLX+OpFhN9Kz5OEj2aiWFyLvQHUcmXyzpALtzIS/PwmT3x8YXT8K66wl63
 L5nwvw4bjmm+2nyzfHvlWjpKh+qZ/E8J9uFcaMgs8aJnHHkQCzfrlsXLWEoXQcvPyv0lA3i9
 PByi1Qd/ib00mhM11dnCGdlzUJiF0VmjDfIB6j8DLeSPXCNXgH45Erv/MWTvKW0TtggDhG6t
 M444uojesmMfr+plWP2zGxbWATqqOVmwtXrQdBtQ0pbWK1Us4Q3MsiFQVuYdI9IB4=
From:   =?UTF-8?q?Michael=20Wei=C3=9F?= <michael.weiss@aisec.fraunhofer.de>
To:     Alexander Mikhalitsyn <alexander@mihalicyn.com>,
        Christian Brauner <brauner@kernel.org>,
        Alexei Starovoitov <ast@kernel.org>,
        Paul Moore <paul@paul-moore.com>
CC:     Daniel Borkmann <daniel@iogearbox.net>,
        Andrii Nakryiko <andrii@kernel.org>,
        Martin KaFai Lau <martin.lau@linux.dev>,
        Song Liu <song@kernel.org>, Yonghong Song <yhs@fb.com>,
        John Fastabend <john.fastabend@gmail.com>,
        KP Singh <kpsingh@kernel.org>,
        Stanislav Fomichev <sdf@google.com>,
        Hao Luo <haoluo@google.com>, Jiri Olsa <jolsa@kernel.org>,
        Quentin Monnet <quentin@isovalent.com>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Miklos Szeredi <miklos@szeredi.hu>,
        Amir Goldstein <amir73il@gmail.com>,
        "Serge E. Hallyn" <serge@hallyn.com>, <bpf@vger.kernel.org>,
        <linux-kernel@vger.kernel.org>, <linux-fsdevel@vger.kernel.org>,
        <gyroidos@aisec.fraunhofer.de>,
        =?UTF-8?q?Michael=20Wei=C3=9F?= <michael.weiss@aisec.fraunhofer.de>
Subject: [RESEND RFC PATCH v2 14/14] device_cgroup: Allow mknod in non-initial userns if guarded
Date:   Wed, 25 Oct 2023 11:42:24 +0200
Message-Id: <20231025094224.72858-15-michael.weiss@aisec.fraunhofer.de>
In-Reply-To: <20231025094224.72858-1-michael.weiss@aisec.fraunhofer.de>
References: <20231025094224.72858-1-michael.weiss@aisec.fraunhofer.de>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?UU52cENSbVBpcklvY1VOdVhBSEg1aGxveDEwYTdlUUdabkxsWnZQOGtQVzY0?=
 =?utf-8?B?aDJNZ3ZYTjR3clVjMUR2b3d1RE5JY3U0cThPOGJUakRjajl3V2V5V0hFbUcx?=
 =?utf-8?B?azd1Q01ueGFibUR3M3RzSTI3WC9LRVR4ZFY1RUV0UzJPUnFxZTRTaytvZ25l?=
 =?utf-8?B?eVFlM2p3a09BOUhmeTkvbFpieHNuV2tEQmVEbmIraWgrZ3pkVVllOHpXeUtG?=
 =?utf-8?B?RWg3VXF3Mkl4dVU3L0poLzExL1ozSW9xeXZTaGc2ZVVTdzJOUzliZzFJUndr?=
 =?utf-8?B?SWNqL0IycFZsenpTb01aZTR4UUo3bjcrNUMwNlQ5OExWbjhKUHp6em1BS2V5?=
 =?utf-8?B?SEszNmFPQjhwSVY2U0VDTjMwZ2ZRbUxTb3ZrMStWYy84Z0xmd2FYd3ZQWmRC?=
 =?utf-8?B?NE5WdVJEUXJKUjdOaEV3Q1RjNVVMQk90TGFZZDQwc25hUzlLME1jZlZEdlBj?=
 =?utf-8?B?eGNpKzdhYVozbnc1VWZkNlZ3dHpia3BXTEtEdCtMS3A5ckRkd3ZYMDd5RDVo?=
 =?utf-8?B?KzEvSS96LzRad20xRkczTmRrYjBUV0UxL3IyN3RldVRuQTRKQktlYXJJdmty?=
 =?utf-8?B?d2VnQWZCdEtiVnpIUEJrRlNzSVZDMVN1dWl4OG1oM1BidE13SEVTRGNKVkZG?=
 =?utf-8?B?d0s0blE1dWdzbnY4Njk3NlFsOUhkWCtES2JNdFhoWkJvNitoY2VlMDJNNlgv?=
 =?utf-8?B?TXYwS2IxTkswUDVpSmZBK3JXNVV0cnZCL1d4cGlRakRaMjJhTXBzRE9mQWlz?=
 =?utf-8?B?VUFyeFBOcEJZMXo3MGZRb0xjWFhXa21qa05qT3JsZmF1bXBCa21sbFFRUVBu?=
 =?utf-8?B?ejVtMjByQ2tHOWMvaDB2MVR1K3JBTGpqcXl4ZkhteVA3TkpOWGNmcS9laHcz?=
 =?utf-8?B?dXVqbU9ERHdLOVV6Z1RGbWdhUU1FdG95K1NzblpSYk9WVE9VNE5KdUxLM2Zk?=
 =?utf-8?B?c3VCd01GYzVnN0ZZU2x5S2VXK1VTdDJhQ3l1clZUWjZqelpPZnFaeG4xKzE3?=
 =?utf-8?B?VjZwNzJNZ3dvT2ZmWXZRSzlEWFNYSjlnUDZxd0RrNWFxdVlVdG1Kb1pDQUFS?=
 =?utf-8?B?Lzhld3pidXcxcXdndzhCVE5vcHF5Z292dGlaa0tId3NhcytPWTZmRHFyYnV0?=
 =?utf-8?B?RENSREIzaEUzMnZjNUhZc3AvTk9ib25PdGNhVTNOVTUzMWdMK2Jya3Z6Sm91?=
 =?utf-8?B?ZDFORW9wMnV2b005SlpSRGVaRnJIdXdCVnpTUjRKYldmY0w1VDZ4WlIzdjZS?=
 =?utf-8?B?WFdPSSt3QnJDaDNLS3hTVFpYSGozWElJc2d4bkZBdHZpZThySHpIVWJpQ29Y?=
 =?utf-8?B?Tkd0Wmg4alY5R0tRZUQzZjFNWDQ3VVF1emdkUWcydjVJWGZyN3BHSGtPRHRP?=
 =?utf-8?B?b0NHTkpVc2p5ODNNUFNwdVp6L2hrVzJsWlArYm85V0EyWVc5QXpGL0xIOTdE?=
 =?utf-8?B?VVViOFBPVEFaZno3bkNWTER5WjBSTUpuSGMyUHFLNk1vYldKSmE3SUt1NkhX?=
 =?utf-8?B?MkFVWjRRUjhERXBNL1JPM3NnTDdjZ2kwbE5kSnJNbGpEQkRrd3ozWjN5b040?=
 =?utf-8?B?VXU0NWhiaUNoa1FFYW5zdEpJS3h1Uy80ZWozdjVIOUJpVkRmKytoRGZtamt0?=
 =?utf-8?B?T2hieTFudEdDYXk0Z3I3ZFl1TzF1UUVid21OZDZxQk04cTFueGliRlpoR2pT?=
 =?utf-8?B?dGJ2N1JzNlpTZEJiSjFSaHgxWnNJOEx2R0szUWpyclpUMk1ydFpGNnVMNVgy?=
 =?utf-8?B?ZzV4SEp2SkY1VGJkWWsyRGVYQmR1ckpxQlBKc0pjTXVkTXR2WkhZYjcrU0lt?=
 =?utf-8?B?TjZIc3gvT05kUWt4SGs2YUxEb1c3L2txYm55VXVOY0s5bU8vazFqOEE2eEVV?=
 =?utf-8?B?NDVaVTkreCtxd0UxUWRSTlhYNjZXOXE4ejVTanViaG5vaDhwREY1WWFPWEZW?=
 =?utf-8?B?dERINUZJYldUY2JkVlo2RXVlNTl2YlZBaFpDZm9UaEFBYWY5MDlQM3VNenp3?=
 =?utf-8?B?SnhzM1lTd1lmckROL1FhUitNeHo3dXVkbE83NTREWWpVZ3JzdCtrb1hJV0tM?=
 =?utf-8?B?b0xCZHYzZmh3cXpxUGpkN2tRVGtFSDA5aHYrU2x5YmxqbzdNMjRGY3pnMlRR?=
 =?utf-8?B?cnN6c0NkQzVGUFJaaGMwRGpsanFsejVJMDlKMW12RElHTDlRN3dTZHdOa0Mw?=
 =?utf-8?B?WkN1NG16ekhJZzVmREM5Q2NMNUh3eklUbzJNR2FQaUkvNEtDRU5HLzR3MGpz?=
 =?utf-8?Q?KfUaqrpCrMF316NWrq0tde+GMsYf28bVqY/zbLLiWI=3D?=
X-MS-Exchange-CrossTenant-Network-Message-Id: ea45e0e1-34be-418f-00ee-08dbd53ecb86
X-MS-Exchange-CrossTenant-AuthSource: BEZP281MB2791.DEUP281.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Oct 2023 09:43:08.4202
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f930300c-c97d-4019-be03-add650a171c4
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: Z032ILo5eW7I8M+KBfdtf1e0rMwDPPIOXQExBCaJmEgcIpSqrTqqI8upd6o3CV8zOR56tK3qR9iIL6m+Mtsloeo04bS7dWN+jZSPqUjCIA21sPyuzRUWrTr2Ca/lV8Zw
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BE0P281MB0116
X-OriginatorOrg: aisec.fraunhofer.de
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Wed, 25 Oct 2023 02:45:32 -0700 (PDT)

If a container manager restricts its unprivileged (user namespaced)
children by a device cgroup, it is not necessary to deny mknod()
anymore. Thus, user space applications may map devices on different
locations in the file system by using mknod() inside the container.

A use case for this, we also use in GyroidOS, is to run virsh for
VMs inside an unprivileged container. virsh creates device nodes,
e.g., "/var/run/libvirt/qemu/11-fgfg.dev/null" which currently fails
in a non-initial userns, even if a cgroup device white list with the
corresponding major, minor of /dev/null exists. Thus, in this case
the usual bind mounts or pre populated device nodes under /dev are
not sufficient.

To circumvent this limitation, allow mknod() by checking CAP_MKNOD
in the userns by implementing the security_inode_mknod_nscap(). The
hook implementation checks if the corresponding permission flag
BPF_DEVCG_ACC_MKNOD_UNS is set for the device in the bpf program.
To avoid to create unusable inodes in user space the hook also checks
SB_I_NODEV on the corresponding super block.

Further, the security_sb_alloc_userns() hook is implemented using
cgroup_bpf_current_enabled() to allow usage of device nodes on super
blocks mounted by a guarded task.

Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
---
 security/device_cgroup/lsm.c | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/security/device_cgroup/lsm.c b/security/device_cgroup/lsm.c
index a963536d0a15..6bc984d9c9d1 100644
--- a/security/device_cgroup/lsm.c
+++ b/security/device_cgroup/lsm.c
@@ -66,10 +66,37 @@ static int devcg_inode_mknod(struct inode *dir, struct dentry *dentry,
 	return __devcg_inode_mknod(mode, dev, DEVCG_ACC_MKNOD);
 }
 
+#ifdef CONFIG_CGROUP_BPF
+static int devcg_sb_alloc_userns(struct super_block *sb)
+{
+	if (cgroup_bpf_current_enabled(CGROUP_DEVICE))
+		return 0;
+
+	return -EPERM;
+}
+
+static int devcg_inode_mknod_nscap(struct inode *dir, struct dentry *dentry,
+				       umode_t mode, dev_t dev)
+{
+	if (!cgroup_bpf_current_enabled(CGROUP_DEVICE))
+		return -EPERM;
+
+	// avoid to create unusable inodes in user space
+	if (dentry->d_sb->s_iflags & SB_I_NODEV)
+		return -EPERM;
+
+	return __devcg_inode_mknod(mode, dev, BPF_DEVCG_ACC_MKNOD_UNS);
+}
+#endif /* CONFIG_CGROUP_BPF */
+
 static struct security_hook_list devcg_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(inode_permission, devcg_inode_permission),
 	LSM_HOOK_INIT(inode_mknod, devcg_inode_mknod),
 	LSM_HOOK_INIT(dev_permission, devcg_dev_permission),
+#ifdef CONFIG_CGROUP_BPF
+	LSM_HOOK_INIT(sb_alloc_userns, devcg_sb_alloc_userns),
+	LSM_HOOK_INIT(inode_mknod_nscap, devcg_inode_mknod_nscap),
+#endif
 };
 
 static int __init devcgroup_init(void)
-- 
2.30.2