diff options
| author | Christian Brauner <brauner@kernel.org> | 2026-02-26 14:50:09 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-03-19 16:15:12 +0100 |
| commit | 0ad650e60150eda789deca5e78a6a09d26bf8fc9 (patch) | |
| tree | ef9ec305e3248d420c71824b4fa62829020eae36 /fs/nsfs.c | |
| parent | 7e6e2fc91d4b9b12ec6e137019532568ebcf2680 (diff) | |
nsfs: tighten permission checks for ns iteration ioctls
commit e6b899f08066e744f89df16ceb782e06868bd148 upstream.
Even privileged services should not necessarily be able to see other
privileged service's namespaces so they can't leak information to each
other. Use may_see_all_namespaces() helper that centralizes this policy
until the nstree adapts.
Link: https://patch.msgid.link/20260226-work-visibility-fixes-v1-1-d2c2853313bd@kernel.org
Fixes: a1d220d9dafa ("nsfs: iterate through mount namespaces")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Cc: stable@kernel.org # v6.12+
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs/nsfs.c')
| -rw-r--r-- | fs/nsfs.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/fs/nsfs.c b/fs/nsfs.c index bf27d5da91f1..f1e195710804 100644 --- a/fs/nsfs.c +++ b/fs/nsfs.c @@ -186,6 +186,17 @@ static bool nsfs_ioctl_valid(unsigned int cmd) return false; } +static bool may_use_nsfs_ioctl(unsigned int cmd) +{ + switch (_IOC_NR(cmd)) { + case _IOC_NR(NS_MNT_GET_NEXT): + fallthrough; + case _IOC_NR(NS_MNT_GET_PREV): + return may_see_all_namespaces(); + } + return true; +} + static long ns_ioctl(struct file *filp, unsigned int ioctl, unsigned long arg) { @@ -201,6 +212,8 @@ static long ns_ioctl(struct file *filp, unsigned int ioctl, if (!nsfs_ioctl_valid(ioctl)) return -ENOIOCTLCMD; + if (!may_use_nsfs_ioctl(ioctl)) + return -EPERM; ns = get_proc_ns(file_inode(filp)); switch (ioctl) { |