Your suggestions make sense to me, especially after looking at how other filesystems use init_user_ns...
As far as kicking us out of the Kernel, good grief, I hope not, it was hard getting into the kernel! -Mike On Sat, Jun 25, 2016 at 12:29 AM, Eric W. Biederman <[email protected]> wrote: > Jann Horn <[email protected]> writes: > >> diff --git a/fs/orangefs/devorangefs-req.c b/fs/orangefs/devorangefs-req.c >> index db170be..a287a66 100644 >> --- a/fs/orangefs/devorangefs-req.c >> +++ b/fs/orangefs/devorangefs-req.c >> @@ -116,6 +116,13 @@ static int orangefs_devreq_open(struct inode *inode, >> struct file *file) >> { >> int ret = -EINVAL; >> >> + /* in order to ensure that the filesystem driver sees correct UIDs */ >> + if (file->f_cred->user_ns != &init_user_ns) { >> + gossip_err("%s: device cannot be opened outside >> init_user_ns\n", >> + __func__); >> + goto out; >> + } >> + > > Not necessarily in this patch but the code should also verify that the > opener is also in the initial pid namespace as pids are transferred in > the upcalls as well. > >> if (!(file->f_flags & O_NONBLOCK)) { >> gossip_err("%s: device cannot be opened in blocking mode\n", >> __func__); > > Eric
