[RHEL7,COMMIT] fuse: Prohibit kio engine from containers

Submitted by Konstantin Khorenko on Oct. 31, 2018, 10:55 a.m.


Message ID 201810311055.w9VAtqKv022940@finist-ce7.sw.ru
State New
Series "Series without cover letter"
Headers show

Commit Message

Konstantin Khorenko Oct. 31, 2018, 10:55 a.m.
The commit is pushed to "branch-rh7-3.10.0-862.14.4.vz7.72.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-862.14.4.vz7.72.15
commit 9d2ed0cdcba531a058be84c6d007aff5b9f9fe58
Author: Kirill Tkhai <ktkhai@virtuozzo.com>
Date:   Wed Oct 31 13:55:52 2018 +0300

    fuse: Prohibit kio engine from containers
    Currently we have several BUG_ON() ported from userspace,
    and they may fire in case of it's used malicious daemon
    instead of original vstorage-mount. So, just prohibit
    mounting with kio from inside container.
    Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
    Reviewed-by: Pavel Butsykin <pbutsykin@virtuozzo.com>
 fs/fuse/inode.c | 2 ++
 1 file changed, 2 insertions(+)

Patch hide | download patch | download mbox

diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index 0695b79c4c50..34e52262d37e 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -709,6 +709,8 @@  static int parse_fuse_opt(char *opt, struct fuse_mount_data *d, int is_bdev)
 		case OPT_KIO_NAME: {
 			char *name;
+			if (!ve_is_super(get_exec_env()))
+				return 0;
 			name = match_strdup(&args[0]);
 			if (!name)
 				return 0;