[Devel] [PATCH RH7] fs: allow to remount from ve user ns

Andrew Vagin avagin at odin.com
Thu Oct 22 04:34:48 PDT 2015


On Mon, Oct 19, 2015 at 04:38:00PM +0300, Pavel Tikhomirov wrote:
> docker 1.9.0-rc1+ makes bindmounts for cgroups, in non-privileged
> container it remounts cgroup root(/sys/fs/cgroup) tmpfs readonly.

Does it posiable to remount a superblock for a bind mount? If I
bind-mount a directory from host to a container, will a user be able to
remount the superblock for this bind-mount to read-only?

> 
> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
> ---
>  fs/namespace.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/namespace.c b/fs/namespace.c
> index 1377488..8909c13 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -1994,7 +1994,7 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
>  	down_write(&sb->s_umount);
>  	if (flags & MS_BIND)
>  		err = change_mount_flags(path->mnt, flags);
> -	else if (!capable(CAP_SYS_ADMIN))
> +	else if (!ve_capable(CAP_SYS_ADMIN))
>  		err = -EPERM;
>  	else
>  		err = do_check_and_remount_sb(sb, flags, data);
> -- 
> 1.9.3
> 
> _______________________________________________
> Devel mailing list
> Devel at openvz.org
> https://lists.openvz.org/mailman/listinfo/devel



More information about the Devel mailing list