[Devel] [PATCH rh8 1/4] fs/ve: add new FS_VE_MOUNT flag to allow mount in container init userns

Konstantin Khorenko khorenko at virtuozzo.com
Thu Mar 18 20:04:06 MSK 2021 

This patch is a part of vz7 commit 4e8e69eb16b1 ("fs/ve: add new
FS_VE_MOUNT flag to allow mount in container init userns")

Some filesystems are allowed to be mounted only in init userns in
mainstream/rh kernel. And some of those we still would like to mount in
Containers (like NFS, overlayfs) - thus in not-init userns.

We do check if particular filesystem is virtualized enough (or
implement missing virtualization), but still we would like to mimic
mainstream behavior and allow to mount those filesystems only in root
userns for Containers (not in every nested userns).

Thus introduce a new fs_flag to allow mounting the FS in root userns of
a Container.

https://jira.sw.ru/browse/PSBM-121284

Fixes: f6264f72dc29 ("ve/fs: check mount SYS_ADMIN permission in current
VE")

Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 fs/super.c         | 5 ++++-
 include/linux/fs.h | 1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/fs/super.c b/fs/super.c
index 24ac1e93f8a4..a7de90fc2d74 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -523,7 +523,10 @@ struct super_block *sget_userns(struct file_system_type *type,
 
 	if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT)) &&
 	    !(type->fs_flags & FS_USERNS_MOUNT) &&
-	    !ve_capable(CAP_SYS_ADMIN))
+	    !capable(CAP_SYS_ADMIN) &&
+	    /* FS_VE_MOUNT allows mount in container init userns */
+	    !((type->fs_flags & FS_VE_MOUNT) &&
+	       ve_capable(CAP_SYS_ADMIN)))
 		return ERR_PTR(-EPERM);
 retry:
 	spin_lock(&sb_lock);
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 7427c0579771..544d7fa3ca58 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2221,6 +2221,7 @@ struct file_system_type {
 #define FS_USERNS_MOUNT		8	/* Can be mounted by userns root */
 
 #define FS_VIRTUALIZED		64	/* Can mount this fstype inside ve */
+#define FS_VE_MOUNT		128	/* Can be mounted in VE init userns */
 #define FS_RENAME_DOES_D_MOVE	32768	/* FS will handle d_move() during rename() internally. */
 	struct dentry *(*mount) (struct file_system_type *, int,
 		       const char *, void *);
-- 
2.28.0

More information about the Devel mailing list