• Eric W. Biederman's avatar
    mnt: Simplify mount_too_revealing · a1935c17
    Eric W. Biederman authored
    Verify all filesystems that we check in mount_too_revealing set
    SB_I_NOEXEC and SB_I_NODEV in sb->s_iflags.  That is true for today
    and it should remain true in the future.
    
    Remove the now unnecessary checks from mnt_already_visibile that
    ensure MNT_LOCK_NOSUID, MNT_LOCK_NOEXEC, and MNT_LOCK_NODEV are
    preserved.  Making the code shorter and easier to read.
    
    Relying on SB_I_NOEXEC and SB_I_NODEV instead of the user visible
    MNT_NOSUID, MNT_NOEXEC, and MNT_NODEV ensures the many current
    systems where proc and sysfs are mounted with "nosuid, nodev, noexec"
    and several slightly buggy container applications don't bother to
    set those flags continue to work.
    Acked-by: default avatarSeth Forshee <seth.forshee@canonical.com>
    Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
    a1935c17
namespace.c 81.7 KB