[Devel] [PATCH RH9 20/33] VE/FS: containerize filesystems access

Andrey Zhadchenko andrey.zhadchenko at virtuozzo.com
Thu Sep 23 22:08:23 MSK 2021 

From: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>

Disable non-virtualized file systems in containers.

This patch contains of two logical parts:

1) Filter out non-containerized filesystems output for
"/proc/filesystems".
2) Forbid access to fs structure if current VE is not super and filesystem
is not containerized.

Signed-off-by: Konstantin Khlebnikov <khlebnikov at openvz.org>
Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>

(cherry picked from vz8 commit ac0de845e2fd4da8cc16ba710d4ae2e5dcb2bda8)
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
 fs/filesystems.c | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/fs/filesystems.c b/fs/filesystems.c
index 90b8d87..87336a9 100644
--- a/fs/filesystems.c
+++ b/fs/filesystems.c
@@ -17,6 +17,7 @@
 #include <linux/slab.h>
 #include <linux/uaccess.h>
 #include <linux/fs_parser.h>
+#include <linux/ve.h>
 
 /*
  * Handling of filesystem drivers list.
@@ -226,6 +227,18 @@ int __init get_filesystem_list(char *buf)
 	return len;
 }
 
+#ifdef CONFIG_VE
+static inline bool filesystem_permitted(const struct file_system_type *fs)
+{
+	return ve_is_super(get_exec_env()) || (fs->fs_flags & FS_VIRTUALIZED);
+}
+#else
+static inline bool filesystem_permitted(const struct file_system_type *fs)
+{
+	return true;
+}
+#endif
+
 #ifdef CONFIG_PROC_FS
 static int filesystems_proc_show(struct seq_file *m, void *v)
 {
@@ -234,9 +247,11 @@ static int filesystems_proc_show(struct seq_file *m, void *v)
 	read_lock(&file_systems_lock);
 	tmp = file_systems;
 	while (tmp) {
-		seq_printf(m, "%s\t%s\n",
-			(tmp->fs_flags & FS_REQUIRES_DEV) ? "" : "nodev",
-			tmp->name);
+		if (filesystem_permitted(tmp)) {
+			seq_printf(m, "%s\t%s\n",
+				(tmp->fs_flags & FS_REQUIRES_DEV) ? "" : "nodev",
+				tmp->name);
+		}
 		tmp = tmp->next;
 	}
 	read_unlock(&file_systems_lock);
@@ -277,7 +292,9 @@ struct file_system_type *get_fs_type(const char *name)
 				     len, name);
 	}
 
-	if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
+	if (fs &&
+	    ((dot && !(fs->fs_flags & FS_HAS_SUBTYPE)) ||
+	     !filesystem_permitted(fs))) {
 		put_filesystem(fs);
 		fs = NULL;
 	}
-- 
1.8.3.1

More information about the Devel mailing list