nsfs: tighten permission checks for handle opening

Even privileged services should not necessarily be able to see other
privileged service's namespaces so they can't leak information to each
other. Use may_see_all_namespaces() helper that centralizes this policy
until the nstree adapts.

Link: https://patch.msgid.link/20260226-work-visibility-fixes-v1-2-d2c2853313bd@kernel.org
Fixes: 5222470b2fbb ("nsfs: support file handles")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Cc: stable@kernel.org # v6.18+
Signed-off-by: Christian Brauner <brauner@kernel.org>

diff --git a/fs/nsfs.c b/fs/nsfs.c
index be36c10c38cf81a2862c3d44f4a29e474a350eff..c215878d55e8798775c38b1d4c0eea96e20f71cd 100644 (file)
--- a/fs/nsfs.c
+++ b/fs/nsfs.c
@@ -627,7 +627,7 @@ static struct dentry *nsfs_fh_to_dentry(struct super_block *sb, struct fid *fh,
                return ERR_PTR(-EOPNOTSUPP);
        }
 
-       if (owning_ns && !ns_capable(owning_ns, CAP_SYS_ADMIN)) {
+       if (owning_ns && !may_see_all_namespaces()) {
                ns->ops->put(ns);
                return ERR_PTR(-EPERM);
        }