Am Di., 17. Juni 2025 um 17:45 Uhr schrieb Christian Brauner
<brauner@xxxxxxxxxx>:
>
> Similar to commit 1ed95281c0c7 ("anon_inode: raise SB_I_NODEV and SB_I_NOEXEC"):
> it shouldn't be possible to execute pidfds via
> execveat(fd_anon_inode, "", NULL, NULL, AT_EMPTY_PATH)
> so raise SB_I_NOEXEC so that no one gets any creative ideas.
>
> Also raise SB_I_NODEV as we don't expect or support any devices on pidfs.
>
> Signed-off-by: Christian Brauner <brauner@xxxxxxxxxx>
Reviewed-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@xxxxxxxxxxxxx>
> ---
> fs/pidfs.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/pidfs.c b/fs/pidfs.c
> index ca217bfe6e40..1343bfc60e3f 100644
> --- a/fs/pidfs.c
> +++ b/fs/pidfs.c
> @@ -959,6 +959,8 @@ static int pidfs_init_fs_context(struct fs_context *fc)
> if (!ctx)
> return -ENOMEM;
>
> + fc->s_iflags |= SB_I_NOEXEC;
> + fc->s_iflags |= SB_I_NODEV;
> ctx->ops = &pidfs_sops;
> ctx->eops = &pidfs_export_operations;
> ctx->dops = &pidfs_dentry_operations;
>
> --
> 2.47.2
>
