summaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorJ. Bruce Fields <bfields@redhat.com>2016-05-03 21:16:02 +0200
committerAnna Schumaker <Anna.Schumaker@Netapp.com>2016-05-09 15:05:40 +0200
commit7e3fcf61abde92a895533b1c6932ad17e073a49c (patch)
tree271dfb0c8d63d67a024d50e9c2db21c31bd649ac /fs
parentNFS: Fix an LOCK/OPEN race when unlinking an open file (diff)
downloadlinux-7e3fcf61abde92a895533b1c6932ad17e073a49c.tar.xz
linux-7e3fcf61abde92a895533b1c6932ad17e073a49c.zip
nfs: don't share mounts between network namespaces
There's no guarantee that an IP address in a different network namespace actually represents the same endpoint. Also, if we allow unprivileged nfs mounts some day then this might allow an unprivileged user in another network namespace to misdirect somebody else's nfs mounts. If sharing between containers is really what's wanted then that could still be arranged explicitly, for example with bind mounts. Reported-by: "Eric W. Biederman" <ebiederm@redhat.com> Signed-off-by: J. Bruce Fields <bfields@redhat.com> Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Diffstat (limited to 'fs')
-rw-r--r--fs/nfs/super.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index f1268280244e..ff537a205188 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -2408,6 +2408,11 @@ static int nfs_compare_super_address(struct nfs_server *server1,
struct nfs_server *server2)
{
struct sockaddr *sap1, *sap2;
+ struct rpc_xprt *xprt1 = server1->client->cl_xprt;
+ struct rpc_xprt *xprt2 = server2->client->cl_xprt;
+
+ if (!net_eq(xprt1->xprt_net, xprt2->xprt_net))
+ return 0;
sap1 = (struct sockaddr *)&server1->nfs_client->cl_addr;
sap2 = (struct sockaddr *)&server2->nfs_client->cl_addr;