[Devel] [PATCH RH9 18/33] fs/ve: add new FS_VE_MOUNT flag to allow mount in container init userns

Thu Sep 23 22:08:21 MSK 2021

From: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>

This patch is a part of vz7 commit 4e8e69eb16b1 ("fs/ve: add new
FS_VE_MOUNT flag to allow mount in container init userns")

Some filesystems are allowed to be mounted only in init userns in
mainstream/rh kernel. And some of those we still would like to mount in
Containers (like NFS, overlayfs) - thus in not-init userns.

We do check if particular filesystem is virtualized enough (or
implement missing virtualization), but still we would like to mimic
mainstream behavior and allow to mount those filesystems only in root
userns for Containers (not in every nested userns).

Thus introduce a new fs_flag to allow mounting the FS in root userns of
a Container.

https://jira.sw.ru/browse/PSBM-121284

mFixes: f6264f72dc29 ("ve/fs: check mount SYS_ADMIN permission in current
VE")

Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

khorenko@: rebase to RHEL8.4 notes:
- check for FS_VE_MOUNT has been moved from sget_userns() to
  mount_capable()

(cherry picked from vz8 commit 8c5f10f248f81426c6adcc0e40737adb8d78f19d)
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
 fs/super.c         | 6 +++++-
 include/linux/fs.h | 2 ++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/fs/super.c b/fs/super.c
index 45e6e73..71a18c2 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -39,6 +39,7 @@
 #include <linux/fs_context.h>
 #include <linux/ve.h>
 #include <uapi/linux/mount.h>
+#include <linux/ve.h>
 #include "internal.h"
 
 static int thaw_super_locked(struct super_block *sb);
@@ -487,7 +488,10 @@ void generic_shutdown_super(struct super_block *sb)
 bool mount_capable(struct fs_context *fc)
 {
 	if (!(fc->fs_type->fs_flags & FS_USERNS_MOUNT))
-		return capable(CAP_SYS_ADMIN);
+		/* FS_VE_MOUNT allows mount in container init userns */
+		return capable(CAP_SYS_ADMIN) ||
+		       ((fc->fs_type->fs_flags & FS_VE_MOUNT) &&
+			ve_capable(CAP_SYS_ADMIN));
 	else
 		return ns_capable(fc->user_ns, CAP_SYS_ADMIN);
 }
diff --git a/include/linux/fs.h b/include/linux/fs.h
index bf45b4a..1c05638 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2470,6 +2470,8 @@ struct file_system_type {
 #define FS_DISALLOW_NOTIFY_PERM	16	/* Disable fanotify permission events */
 #define FS_ALLOW_IDMAP         32      /* FS has been updated to handle vfs idmappings. */
 #define FS_THP_SUPPORT		8192	/* Remove once all fs converted */
+
+#define FS_VE_MOUNT		128	/* Can be mounted in VE init userns */
 #define FS_RENAME_DOES_D_MOVE	32768	/* FS will handle d_move() during rename() internally. */
 	int (*init_fs_context)(struct fs_context *);
 	const struct fs_parameter_spec *parameters;
-- 
1.8.3.1

