[Devel] [PATCH RHEL8 COMMIT] fs/ve: add new FS_VE_MOUNT flag to allow mount in container init userns

Konstantin Khorenko khorenko at virtuozzo.com
Fri Mar 19 13:42:50 MSK 2021 

The commit is pushed to "branch-rh8-4.18.0-240.1.1.vz8.5.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-240.1.1.vz8.5.8
------>
commit d186104ce5ae848c94b70525629630cdd11dcdfc
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date:   Thu Mar 18 14:51:56 2021 +0300

    fs/ve: add new FS_VE_MOUNT flag to allow mount in container init userns
    
    This patch is a part of vz7 commit 4e8e69eb16b1 ("fs/ve: add new
    FS_VE_MOUNT flag to allow mount in container init userns")
    
    Some filesystems are allowed to be mounted only in init userns in
    mainstream/rh kernel. And some of those we still would like to mount in
    Containers (like NFS, overlayfs) - thus in not-init userns.
    
    We do check if particular filesystem is virtualized enough (or
    implement missing virtualization), but still we would like to mimic
    mainstream behavior and allow to mount those filesystems only in root
    userns for Containers (not in every nested userns).
    
    Thus introduce a new fs_flag to allow mounting the FS in root userns of
    a Container.
    
    https://jira.sw.ru/browse/PSBM-121284
    
    Fixes: f6264f72dc29 ("ve/fs: check mount SYS_ADMIN permission in current
    VE")
    
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 fs/super.c         | 5 ++++-
 include/linux/fs.h | 1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/fs/super.c b/fs/super.c
index 24ac1e93f8a4..a7de90fc2d74 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -523,7 +523,10 @@ struct super_block *sget_userns(struct file_system_type *type,
 
 	if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT)) &&
 	    !(type->fs_flags & FS_USERNS_MOUNT) &&
-	    !ve_capable(CAP_SYS_ADMIN))
+	    !capable(CAP_SYS_ADMIN) &&
+	    /* FS_VE_MOUNT allows mount in container init userns */
+	    !((type->fs_flags & FS_VE_MOUNT) &&
+	       ve_capable(CAP_SYS_ADMIN)))
 		return ERR_PTR(-EPERM);
 retry:
 	spin_lock(&sb_lock);
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 7427c0579771..544d7fa3ca58 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2221,6 +2221,7 @@ struct file_system_type {
 #define FS_USERNS_MOUNT		8	/* Can be mounted by userns root */
 
 #define FS_VIRTUALIZED		64	/* Can mount this fstype inside ve */
+#define FS_VE_MOUNT		128	/* Can be mounted in VE init userns */
 #define FS_RENAME_DOES_D_MOVE	32768	/* FS will handle d_move() during rename() internally. */
 	struct dentry *(*mount) (struct file_system_type *, int,
 		       const char *, void *);

More information about the Devel mailing list