[Devel] [PATCH RH7] fs: prohibit remounting non-root mounts from ve user ns
Pavel Tikhomirov
ptikhomirov at odin.com
Fri Oct 23 01:19:26 PDT 2015
That is one possible approach to allow remounting in ve(ct) user ns for
docker and at the same time prohibiting to remount sb of mounts
initially created outside of these namespace(proposed by @avagin).
The other possible way - we can save mntns from which the mount have
been initially created on superblock.
On 10/22/2015 06:31 PM, Pavel Tikhomirov wrote:
> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
> ---
> fs/namespace.c | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/fs/namespace.c b/fs/namespace.c
> index 8909c13..2ed3f02 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -1994,7 +1994,13 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
> down_write(&sb->s_umount);
> if (flags & MS_BIND)
> err = change_mount_flags(path->mnt, flags);
> - else if (!ve_capable(CAP_SYS_ADMIN))
> + else if (!(capable(CAP_SYS_ADMIN)
> + || (ve_capable(CAP_SYS_ADMIN) && IS_ROOT(path->mnt->mnt_root))))
> + /*
> + * Allow CT remount sb if the root of the mount is available
> + * that will prohibit remounting sb for bindmount from host
> + * if in-ct root is not equal to hosts mount root
> + */
> err = -EPERM;
> else
> err = do_check_and_remount_sb(sb, flags, data);
>
--
Best regards, Tikhomirov Pavel
Software Developer, Odin.
More information about the Devel
mailing list