diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2019-05-12 15:42:48 -0400 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2019-05-25 17:59:56 -0400 |
commit | 0ce0cf12fc4c6a089717ff613d76457052cf4303 (patch) | |
tree | fd9ab4b39fc4c8236d06dede5f03c013d1186777 /fs/super.c | |
parent | feb8ae43a7b33148028829b1b1691b28c874c952 (diff) |
consolidate the capability checks in sget_{fc,userns}()
... into a common helper - mount_capable(type, userns)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs/super.c')
-rw-r--r-- | fs/super.c | 32 |
1 files changed, 14 insertions, 18 deletions
diff --git a/fs/super.c b/fs/super.c index 9c371a04e1b6..3ba91d70c2a8 100644 --- a/fs/super.c +++ b/fs/super.c @@ -476,6 +476,14 @@ void generic_shutdown_super(struct super_block *sb) EXPORT_SYMBOL(generic_shutdown_super); +bool mount_capable(struct file_system_type *type, struct user_namespace *userns) +{ + if (!(type->fs_flags & FS_USERNS_MOUNT)) + return capable(CAP_SYS_ADMIN); + else + return ns_capable(userns, CAP_SYS_ADMIN); +} + /** * sget_fc - Find or create a superblock * @fc: Filesystem context. @@ -505,16 +513,8 @@ struct super_block *sget_fc(struct fs_context *fc, if (!(fc->sb_flags & SB_KERNMOUNT) && fc->purpose != FS_CONTEXT_FOR_SUBMOUNT) { - /* Don't allow mounting unless the caller has CAP_SYS_ADMIN - * over the namespace. - */ - if (!(fc->fs_type->fs_flags & FS_USERNS_MOUNT)) { - if (!capable(CAP_SYS_ADMIN)) - return ERR_PTR(-EPERM); - } else { - if (!ns_capable(fc->user_ns, CAP_SYS_ADMIN)) - return ERR_PTR(-EPERM); - } + if (!mount_capable(fc->fs_type, user_ns)) + return ERR_PTR(-EPERM); } retry: @@ -583,14 +583,10 @@ struct super_block *sget_userns(struct file_system_type *type, struct super_block *old; int err; - /* Ensure the requestor has permissions over the target filesystem */ - if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT)) && !ns_capable(user_ns, CAP_SYS_ADMIN)) - return ERR_PTR(-EPERM); - - if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT)) && - !(type->fs_flags & FS_USERNS_MOUNT) && - !capable(CAP_SYS_ADMIN)) - return ERR_PTR(-EPERM); + if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT))) { + if (!mount_capable(type, user_ns)) + return ERR_PTR(-EPERM); + } retry: spin_lock(&sb_lock); if (test) { |