git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Amir Goldstein <amir73il@gmail.com>
	Fri, 16 May 2025 19:28:03 +0000 (21:28 +0200)
committer	Jan Kara <jack@suse.cz>
	Mon, 19 May 2025 20:46:34 +0000 (22:46 +0200)
commit	58f5fbeb367ff6f30a2448b2cad70f70b2de4b06
tree	079ca8d6481fcdd10d2ca7f21fde91841fed6217	tree
parent	90d1238047a6479674db4b35264e9519186af9e8	commit \| diff

fanotify: support watching filesystems and mounts inside userns

An unprivileged user is allowed to create an fanotify group and add
inode marks, but not filesystem, mntns and mount marks.

Add limited support for setting up filesystem, mntns and mount marks by
an unprivileged user under the following conditions:

1. User has CAP_SYS_ADMIN in the user ns where the group was created
2.a. User has CAP_SYS_ADMIN in the user ns where the sb was created
OR (in case setting up a mntns mark)
2.b. User has CAP_SYS_ADMIN in the user ns associated with the mntns

Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20250516192803.838659-3-amir73il@gmail.com

fs/notify/fanotify/fanotify.c		diff \| blob \| blame \| history
fs/notify/fanotify/fanotify_user.c		diff \| blob \| blame \| history
include/linux/fanotify.h		diff \| blob \| blame \| history
include/linux/fsnotify_backend.h		diff \| blob \| blame \| history