[Devel] [PATCH RH7] fs/ve: add new FS_VE_MOUNT flag to allow mount in container init userns

Mon Oct 19 18:50:01 MSK 2020

Use this for overlayfs and remove FS_USERNS_MOUNT for it as we wan't
overlayfs mounts in container to mimic overlayfs mounts on host, and
thus they can only be mounted in init userns of container.

https://jira.sw.ru/browse/PSBM-121284

Fixes: 71dd847047f6 ("ve/fs/overlay: allow overlayfs to be used inside a
Container")

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
Note: in VZ8 we have commit 8a608edc9294 ("ms/teach move_mount(2) to
work with OPEN_TREE_CLONE") which should be reworked because it allows
mounting everything, which is likely bad:

CT-e4a3f511-a27b-4dbe-8e31-2debd9721dd2 test-overlay# mount -t cgroup cgroup -omemory /mnt
CT-e4a3f511-a27b-4dbe-8e31-2debd9721dd2 test-overlay#
---
 fs/overlayfs/super.c | 4 ++--
 fs/super.c           | 5 ++++-
 include/linux/fs.h   | 1 +
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index d17276df439f..46b82079c1e3 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -1588,8 +1588,8 @@ static struct file_system_type ovl_fs_type = {
 	.name		= "overlay",
 	.mount		= ovl_mount,
 	.kill_sb	= kill_anon_super,
-	.fs_flags	= FS_HAS_DOPS_WRAPPER |
-			  FS_VIRTUALIZED | FS_USERNS_MOUNT,
+	.fs_flags	= FS_HAS_DOPS_WRAPPER | FS_VIRTUALIZED |
+			  FS_VE_MOUNT,
 };
 MODULE_ALIAS_FS("overlay");
 
diff --git a/fs/super.c b/fs/super.c
index 1cf377acdc02..cdb061e83eba 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -510,7 +510,10 @@ struct super_block *sget_userns(struct file_system_type *type,
 
 	if (!(flags & (MS_KERNMOUNT|MS_SUBMOUNT)) &&
 	    !(type->fs_flags & FS_USERNS_MOUNT) &&
-	    !capable(CAP_SYS_ADMIN))
+	    !capable(CAP_SYS_ADMIN) &&
+	    /* FS_VE_MOUNT allows mount in container init userns */
+	    !((type->fs_flags & FS_VE_MOUNT) &&
+	       ve_capable(CAP_SYS_ADMIN)))
 		return ERR_PTR(-EPERM);
 retry:
 	spin_lock(&sb_lock);
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 55a92ce36e94..969a04145955 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2312,6 +2312,7 @@ struct file_system_type {
 #define FS_HAS_SUBTYPE		4
 #define FS_USERNS_MOUNT		8	/* Can be mounted by userns root */
 #define FS_VIRTUALIZED		64	/* Can mount this fstype inside ve */
+#define FS_VE_MOUNT		128	/* Can be mounted by ve-init userns root */
 #define FS_HAS_RM_XQUOTA	256	/* KABI: fs has the rm_xquota quota op */
 #define FS_HAS_INVALIDATE_RANGE	512	/* FS has new ->invalidatepage with length arg */
 #define FS_HAS_DIO_IODONE2	1024	/* KABI: fs supports new iodone */
-- 
2.26.2

