fs: Allow CAP_SYS_ADMIN in s_user_ns to freeze and thaw filesystems
The user in control of a super block should be allowed to freeze and thaw it. Relax the restrictions on the FIFREEZE and FITHAW ioctls to require CAP_SYS_ADMIN in s_user_ns. Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Acked-by: Christian Brauner <christian@brauner.io> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
This commit is contained in:
parent
b1d749c5c3
commit
f3f1a18330
@ -549,7 +549,7 @@ static int ioctl_fsfreeze(struct file *filp)
|
|||||||
{
|
{
|
||||||
struct super_block *sb = file_inode(filp)->i_sb;
|
struct super_block *sb = file_inode(filp)->i_sb;
|
||||||
|
|
||||||
if (!capable(CAP_SYS_ADMIN))
|
if (!ns_capable(sb->s_user_ns, CAP_SYS_ADMIN))
|
||||||
return -EPERM;
|
return -EPERM;
|
||||||
|
|
||||||
/* If filesystem doesn't support freeze feature, return. */
|
/* If filesystem doesn't support freeze feature, return. */
|
||||||
@ -566,7 +566,7 @@ static int ioctl_fsthaw(struct file *filp)
|
|||||||
{
|
{
|
||||||
struct super_block *sb = file_inode(filp)->i_sb;
|
struct super_block *sb = file_inode(filp)->i_sb;
|
||||||
|
|
||||||
if (!capable(CAP_SYS_ADMIN))
|
if (!ns_capable(sb->s_user_ns, CAP_SYS_ADMIN))
|
||||||
return -EPERM;
|
return -EPERM;
|
||||||
|
|
||||||
/* Thaw */
|
/* Thaw */
|
||||||
|
Loading…
Reference in New Issue
Block a user