From c7eb3ff1b38be5c192bb4a3f6584303476828c1d Mon Sep 17 00:00:00 2001
From: Andreas Kling <awesomekling@gmail.com>
Date: Thu, 2 Jan 2020 02:36:12 +0100
Subject: [PATCH] Kernel: mknod() should not allow unprivileged users to create
 devices

In fact, unless you are superuser, you may only create a regular file,
a named pipe, or a local domain socket. Anything else should EPERM.
---
 Kernel/Process.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Kernel/Process.cpp b/Kernel/Process.cpp
index f5532c696a..39c3f68df2 100644
--- a/Kernel/Process.cpp
+++ b/Kernel/Process.cpp
@@ -3478,6 +3478,11 @@ int Process::sys$mknod(const char* pathname, mode_t mode, dev_t dev)
     if (!validate_read_str(pathname))
         return -EFAULT;
 
+    if (!is_superuser()) {
+        if (!is_regular_file(mode) && !is_fifo(mode) && !is_socket(mode))
+            return -EPERM;
+    }
+
     return VFS::the().mknod(StringView(pathname), mode, dev, current_directory());
 }