[Devel] [PATCH rh8 1/4] fs/ve: add new FS_VE_MOUNT flag to allow mount in container init userns
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Fri Mar 19 10:57:01 MSK 2021
Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Everything looks good. Though note that probably we have some more fs-es
except nfs and ext4 which need the same change in future: devtmpfs,
autofs, binfmt_misc, devpts, fuse, nfsd, proc, ramfs, sysfs, xfs,
mqueue, shmem and rpcpipefs (At least all of them need to be checked).
On 3/18/21 8:04 PM, Konstantin Khorenko wrote:
> This patch is a part of vz7 commit 4e8e69eb16b1 ("fs/ve: add new
> FS_VE_MOUNT flag to allow mount in container init userns")
>
> Some filesystems are allowed to be mounted only in init userns in
> mainstream/rh kernel. And some of those we still would like to mount in
> Containers (like NFS, overlayfs) - thus in not-init userns.
>
> We do check if particular filesystem is virtualized enough (or
> implement missing virtualization), but still we would like to mimic
> mainstream behavior and allow to mount those filesystems only in root
> userns for Containers (not in every nested userns).
>
> Thus introduce a new fs_flag to allow mounting the FS in root userns of
> a Container.
>
> https://jira.sw.ru/browse/PSBM-121284
>
> Fixes: f6264f72dc29 ("ve/fs: check mount SYS_ADMIN permission in current
> VE")
>
> Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
> ---
> fs/super.c | 5 ++++-
> include/linux/fs.h | 1 +
> 2 files changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/fs/super.c b/fs/super.c
> index 24ac1e93f8a4..a7de90fc2d74 100644
> --- a/fs/super.c
> +++ b/fs/super.c
> @@ -523,7 +523,10 @@ struct super_block *sget_userns(struct file_system_type *type,
>
> if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT)) &&
> !(type->fs_flags & FS_USERNS_MOUNT) &&
> - !ve_capable(CAP_SYS_ADMIN))
> + !capable(CAP_SYS_ADMIN) &&
> + /* FS_VE_MOUNT allows mount in container init userns */
> + !((type->fs_flags & FS_VE_MOUNT) &&
> + ve_capable(CAP_SYS_ADMIN)))
> return ERR_PTR(-EPERM);
> retry:
> spin_lock(&sb_lock);
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index 7427c0579771..544d7fa3ca58 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -2221,6 +2221,7 @@ struct file_system_type {
> #define FS_USERNS_MOUNT 8 /* Can be mounted by userns root */
>
> #define FS_VIRTUALIZED 64 /* Can mount this fstype inside ve */
> +#define FS_VE_MOUNT 128 /* Can be mounted in VE init userns */
> #define FS_RENAME_DOES_D_MOVE 32768 /* FS will handle d_move() during rename() internally. */
> struct dentry *(*mount) (struct file_system_type *, int,
> const char *, void *);
>
--
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.
More information about the Devel
mailing list