diff options
| author | J. Bruce Fields <bfields@redhat.com> | 2016-05-03 19:16:02 (GMT) |
|---|---|---|
| committer | Anna Schumaker <Anna.Schumaker@Netapp.com> | 2016-05-09 13:05:40 (GMT) |
| commit | 7e3fcf61abde92a895533b1c6932ad17e073a49c (patch) | |
| tree | 271dfb0c8d63d67a024d50e9c2db21c31bd649ac | |
| parent | 11476e9dec39d90fe1e9bf12abc6f3efe35a073d (diff) | |
| download | linux-7e3fcf61abde92a895533b1c6932ad17e073a49c.tar.xz | |
nfs: don't share mounts between network namespaces
There's no guarantee that an IP address in a different network namespace
actually represents the same endpoint.
Also, if we allow unprivileged nfs mounts some day then this might allow
an unprivileged user in another network namespace to misdirect somebody
else's nfs mounts.
If sharing between containers is really what's wanted then that could
still be arranged explicitly, for example with bind mounts.
Reported-by: "Eric W. Biederman" <ebiederm@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
| -rw-r--r-- | fs/nfs/super.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/fs/nfs/super.c b/fs/nfs/super.c index f126828..ff537a2 100644 --- a/fs/nfs/super.c +++ b/fs/nfs/super.c @@ -2408,6 +2408,11 @@ static int nfs_compare_super_address(struct nfs_server *server1, struct nfs_server *server2) { struct sockaddr *sap1, *sap2; + struct rpc_xprt *xprt1 = server1->client->cl_xprt; + struct rpc_xprt *xprt2 = server2->client->cl_xprt; + + if (!net_eq(xprt1->xprt_net, xprt2->xprt_net)) + return 0; sap1 = (struct sockaddr *)&server1->nfs_client->cl_addr; sap2 = (struct sockaddr *)&server2->nfs_client->cl_addr; |