6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner brauner@kernel.org
[ Upstream commit 1a1ad73aa1a66787f05f7f10f686b74bab77be72 ]
Similar to commit 1ed95281c0c7 ("anon_inode: raise SB_I_NODEV and SB_I_NOEXEC"): it shouldn't be possible to execute pidfds via execveat(fd_anon_inode, "", NULL, NULL, AT_EMPTY_PATH) so raise SB_I_NOEXEC so that no one gets any creative ideas.
Also raise SB_I_NODEV as we don't expect or support any devices on pidfs.
Link: https://lore.kernel.org/20250618-work-pidfs-persistent-v2-1-98f3456fd552@ker... Reviewed-by: Alexander Mikhalitsyn aleksandr.mikhalitsyn@canonical.com Signed-off-by: Christian Brauner brauner@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- fs/pidfs.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/fs/pidfs.c b/fs/pidfs.c index 52b7e4f76732..5a8d8eb8df23 100644 --- a/fs/pidfs.c +++ b/fs/pidfs.c @@ -382,6 +382,8 @@ static int pidfs_init_fs_context(struct fs_context *fc) if (!ctx) return -ENOMEM;
+ fc->s_iflags |= SB_I_NOEXEC; + fc->s_iflags |= SB_I_NODEV; ctx->ops = &pidfs_sops; ctx->dops = &pidfs_dentry_operations; fc->s_fs_info = (void *)&pidfs_stashed_ops;