[Devel] [PATCH RH7/RH8] mnt: relax the restrictions of MS_SET_GROUP

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Thu May 21 17:49:18 MSK 2020 

>From the first glance it looked nice to check that the source path from
which we wan't to copy sharing is root of it's mount to make interface
more predictable. But it appeared there is a pain for external mount
restore and for ct root mount restore to lookup actuall mount path in
host mount namespace instead of just relying on a path to subdirectory
on this mount which is already given to us by user.

For instance when we do bind-mounts for these root and external mounts
we use subdirectory as a source and it's ok.

Also from the first glance it looked nice to only allow to set sharing
for a mount in current mntns. But there is also a pain for criu because
we can have many mounts with the same shared_id and master_id (from same
sharing group) in different mount namespaces, and in the worst case we
would need to do extra setns for each mount which is a pure waste of
resources. So let's allow copying sharing options even if (current mntns
!= source mntns != destination mntns) all namespces are different (note:
mounts from alien mntns can be accessed through /proc/pid/fd/id).

https://jira.sw.ru/browse/PSBM-58617

note: applies both to vz7 and vz8.

Fixes: ("mnt: allow to add a mount into an existing group")

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 fs/namespace.c | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/fs/namespace.c b/fs/namespace.c
index 46cda75f0b99..ac830373a7d6 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2705,15 +2705,9 @@ static int do_set_group(struct path *path, const char *sibling_name)
 		return err;
 
 	err = -EINVAL;
-	if (sibling_path.dentry != sibling_path.mnt->mnt_root)
-		goto out_put;
-
 	sibling = real_mount(sibling_path.mnt);
 	mnt = real_mount(path->mnt);
 
-	if (!check_mnt(mnt))
-		goto out_put;
-
 	namespace_lock();
 
 	err = -EPERM;
@@ -2742,7 +2736,6 @@ static int do_set_group(struct path *path, const char *sibling_name)
 	err = 0;
 out_unlock:
 	namespace_unlock();
-out_put:
 	path_put(&sibling_path);
 	return err;
 }
-- 
2.24.1

More information about the Devel mailing list