[Devel] [PATCH RH7] fs/ve: add new FS_VE_MOUNT flag to allow mount in container init userns

Konstantin Khorenko khorenko at virtuozzo.com
Mon Oct 19 19:10:15 MSK 2020 

On 10/19/2020 06:50 PM, Pavel Tikhomirov wrote:
> Use this for overlayfs and remove FS_USERNS_MOUNT for it as we wan't
> overlayfs mounts in container to mimic overlayfs mounts on host, and
> thus they can only be mounted in init userns of container.
>
> https://jira.sw.ru/browse/PSBM-121284
>
> Fixes: 71dd847047f6 ("ve/fs/overlay: allow overlayfs to be used inside a
> Container")
>
> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

Reviewed-by: Konstantin Khorenko <khorenko at virtuozzo.com>

> ---
> Note: in VZ8 we have commit 8a608edc9294 ("ms/teach move_mount(2) to
> work with OPEN_TREE_CLONE") which should be reworked because it allows
> mounting everything, which is likely bad:
>
> CT-e4a3f511-a27b-4dbe-8e31-2debd9721dd2 test-overlay# mount -t cgroup cgroup -omemory /mnt
> CT-e4a3f511-a27b-4dbe-8e31-2debd9721dd2 test-overlay#
> ---
>  fs/overlayfs/super.c | 4 ++--
>  fs/super.c           | 5 ++++-
>  include/linux/fs.h   | 1 +
>  3 files changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
> index d17276df439f..46b82079c1e3 100644
> --- a/fs/overlayfs/super.c
> +++ b/fs/overlayfs/super.c
> @@ -1588,8 +1588,8 @@ static struct file_system_type ovl_fs_type = {
>  	.name		= "overlay",
>  	.mount		= ovl_mount,
>  	.kill_sb	= kill_anon_super,
> -	.fs_flags	= FS_HAS_DOPS_WRAPPER |
> -			  FS_VIRTUALIZED | FS_USERNS_MOUNT,
> +	.fs_flags	= FS_HAS_DOPS_WRAPPER | FS_VIRTUALIZED |
> +			  FS_VE_MOUNT,
>  };
>  MODULE_ALIAS_FS("overlay");
>
> diff --git a/fs/super.c b/fs/super.c
> index 1cf377acdc02..cdb061e83eba 100644
> --- a/fs/super.c
> +++ b/fs/super.c
> @@ -510,7 +510,10 @@ struct super_block *sget_userns(struct file_system_type *type,
>
>  	if (!(flags & (MS_KERNMOUNT|MS_SUBMOUNT)) &&
>  	    !(type->fs_flags & FS_USERNS_MOUNT) &&
> -	    !capable(CAP_SYS_ADMIN))
> +	    !capable(CAP_SYS_ADMIN) &&
> +	    /* FS_VE_MOUNT allows mount in container init userns */
> +	    !((type->fs_flags & FS_VE_MOUNT) &&
> +	       ve_capable(CAP_SYS_ADMIN)))
>  		return ERR_PTR(-EPERM);
>  retry:
>  	spin_lock(&sb_lock);
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index 55a92ce36e94..969a04145955 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -2312,6 +2312,7 @@ struct file_system_type {
>  #define FS_HAS_SUBTYPE		4
>  #define FS_USERNS_MOUNT		8	/* Can be mounted by userns root */
>  #define FS_VIRTUALIZED		64	/* Can mount this fstype inside ve */
> +#define FS_VE_MOUNT		128	/* Can be mounted by ve-init userns root */
>  #define FS_HAS_RM_XQUOTA	256	/* KABI: fs has the rm_xquota quota op */
>  #define FS_HAS_INVALIDATE_RANGE	512	/* FS has new ->invalidatepage with length arg */
>  #define FS_HAS_DIO_IODONE2	1024	/* KABI: fs supports new iodone */
>

More information about the Devel mailing list