On Fri, Jul 29, 2016 at 10:34:38AM +0300, Elena Reshetova wrote:
> This adds a new security_sb_unsharefs() LSM hook.
> It can be used by LSMs concerned about unsharefs()
> system call.
> 
> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> ---
[...]
> @@ -132,11 +133,15 @@ int unshare_fs_struct(void)
>  {
>  	struct fs_struct *fs = current->fs;
>  	struct fs_struct *new_fs = copy_fs_struct(fs);
> -	int kill;
> +	int kill, retval;
>  
>  	if (!new_fs)
>  		return -ENOMEM;
>  
> +	retval = security_sb_unsharefs(&new_fs->root);
> +	if (retval)
> +		return retval;

Oh, and this is a memory leak. If copy_fs_struct() succeeds but
security_sb_unsharefs() fails, new_fs isn't deallocated.