[Devel] [PATCH RHEL8 COMMIT] ve/fs/namespace: allow submounts in non-init userns

Konstantin Khorenko khorenko at virtuozzo.com
Thu Mar 18 14:59:42 MSK 2021 

Please disregard.

--
Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

On 03/18/2021 02:03 PM, Konstantin Khorenko wrote:
> The commit is pushed to "branch-rh8-4.18.0-240.1.1.vz8.5.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
> after rh8-4.18.0-240.1.1.vz8.5.8
> ------>
> commit 39aaf4f599374a1d54d6229e3c2076946f047c68
> Author: Konstantin Khorenko <khorenko at virtuozzo.com>
> Date:   Tue Jul 3 13:28:43 2018 +0300
>
>     ve/fs/namespace: allow submounts in non-init userns
>
>     Simple NFS mount inside a Container brings us to vfs_submount(), so if
>     we want to enable NFS inside a Container (read - in non-init userns), we
>     have to omit the check for init userns.
>
>     SyS_mount
>      do_mount
>       vfs_kern_mount
>        mount_fs
>         nfs_fs_mount
>          nfs4_try_mount
>           nfs_follow_remote_path
>            mount_subtree
>             vfs_path_lookup
>              do_path_lookup
>               filename_lookup
>                path_lookupat
>                 lookup_slow
>                  follow_managed
>                   nfs_d_automount
>                    nfs4_submount
>                     nfs_do_submount
>                      vfs_submount
>
>     https://jira.sw.ru/browse/PSBM-86277
>     Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
>
>     https://jira.sw.ru/browse/PSBM-127234
>     (cherry picked from vz7 commit bc060d46276144f91a139b7d0acf384dcd0a4dde)
>     Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
> ---
>  fs/namespace.c | 24 ++++++++++++++++++++++++
>  1 file changed, 24 insertions(+)
>
> diff --git a/fs/namespace.c b/fs/namespace.c
> index ecd4a56e21ad..d91622405adb 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -983,12 +983,36 @@ struct vfsmount *
>  vfs_submount(const struct dentry *mountpoint, struct file_system_type *type,
>  	     const char *name, void *data)
>  {
> +#if 0
>  	/* Until it is worked out how to pass the user namespace
>  	 * through from the parent mount to the submount don't support
>  	 * unprivileged mounts with submounts.
>  	 */
> +	/* Simple NFS mount inside a Container brings us here, so if we want to
> +	 * enable NFS inside a Container (read - in non-init userns), we have
> +	 * to omit the check.
> +	 *  SyS_mount
> +	 *   do_mount
> +	 *    vfs_kern_mount
> +	 *     mount_fs
> +	 *      nfs_fs_mount
> +	 *       nfs4_try_mount
> +	 *        nfs_follow_remote_path
> +	 *         mount_subtree
> +	 *	    vfs_path_lookup
> +	 *	     do_path_lookup
> +	 *	      filename_lookup
> +	 *	       path_lookupat
> +	 *	        lookup_slow
> +	 *	         follow_managed
> +	 *	          nfs_d_automount
> +	 *	           nfs4_submount
> +	 *		    nfs_do_submount
> +	 *		     vfs_submount
> +	 */
>  	if (mountpoint->d_sb->s_user_ns != &init_user_ns)
>  		return ERR_PTR(-EPERM);
> +#endif
>
>  	return vfs_kern_mount(type, SB_SUBMOUNT, name, data);
>  }
> .
>

More information about the Devel mailing list