ceph: Only allow mounts in the initial network namespace
Today ceph opens tcp sockets from a delayed work callback. Delayed work happens from kernel threads which are always in the initial network namespace. Therefore fail early if someone attempts to mount a ceph filesystem from something other than the initial network namespace. Cc: Sage Weil <sage@inktank.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
This commit is contained in:
Eric W. Biederman
parent
bc1b69ed22
commit
eea553c21f
1 changed files with 5 additions and 0 deletions
|
|
@ -15,6 +15,8 @@
|
|||
#include <linux/slab.h>
|
||||
#include <linux/statfs.h>
|
||||
#include <linux/string.h>
|
||||
#include <linux/nsproxy.h>
|
||||
#include <net/net_namespace.h>
|
||||
|
||||
|
||||
#include <linux/ceph/ceph_features.h>
|
||||
|
|
@ -292,6 +294,9 @@ ceph_parse_options(char *options, const char *dev_name,
|
|||
int err = -ENOMEM;
|
||||
substring_t argstr[MAX_OPT_ARGS];
|
||||
|
||||
if (current->nsproxy->net_ns != &init_net)
|
||||
return ERR_PTR(-EINVAL);
|
||||
|
||||
opt = kzalloc(sizeof(*opt), GFP_KERNEL);
|
||||
if (!opt)
|
||||
return ERR_PTR(-ENOMEM);
|
||||
|
|
|
|||
Loading…
Reference in a new issue