[Devel] [PATCH RH9 19/33] fs: Mask appropriate filesystems FS_VIRTUALIZED

Thu Sep 23 22:08:22 MSK 2021

From: Kirill Tkhai <ktkhai at virtuozzo.com>

Extracted from "Initial patch".

Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>

+++
ve/fs/autofs: Allow autofs to be used inside a container

It turned out that autofs is used at least for NFS/CIFS and binfmt_misc.

Let's use new FS_VE_MOUNT flag to only allow autofs mounts in
conainer-init userns, which would mimic mainstream host behaviour.

https://jira.sw.ru/browse/PSBM-26968
https://jira.sw.ru/browse/PSBM-86138
https://jira.sw.ru/browse/PSBM-128649

Rebase from VZ7, with use of FS_VE_MOUNT and with comment cleanup:
vz7 commits:
83c27c7bffcc1 ("ve/fs/autofs: mark autofs as virtualized")
0045b317c97b ("ve/fs/autofs: allow to mount autofs inside non-root userns")

mFixes: 7ddb6e8dd9f6 ("fs: Mask appropriate filesystems FS_VIRTUALIZED")

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

+++
fs/ext4: removed FS_VIRTUALIZED flag from 'ext3' mode of ext4 module

FS_VIRTUALIZED flag makes a registered filesystem visible in container.
ext3 is part of ext4 module that is run with untested set of flags.

Signed-off-by: Valeriy.Vdovin <valeriy.vdovin at virtuozzo.com>

khorenko@: this flag allows to mount ext3 fs inside a Container
if a Container has proper permissions for a device to be mounted.
In vz7 we never allowed it, we don't test it, so don't see any
advantages of enabling it in vz8. We can change this of course upon
request.

(cherry picked from vz8 commit b594c31c974e708e96826dcd2d903c6472dfea2d)
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
 fs/autofs/init.c       | 1 +
 fs/devpts/inode.c      | 2 +-
 fs/ext4/super.c        | 2 +-
 fs/fuse/inode.c        | 2 +-
 fs/overlayfs/super.c   | 1 +
 fs/proc/root.c         | 2 +-
 fs/sysfs/mount.c       | 2 +-
 fs/xfs/xfs_super.c     | 2 +-
 include/linux/fs.h     | 1 +
 ipc/mqueue.c           | 2 +-
 kernel/cgroup/cgroup.c | 2 +-
 mm/shmem.c             | 2 +-
 12 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/fs/autofs/init.c b/fs/autofs/init.c
index d3f55e8..f1e0416 100644
--- a/fs/autofs/init.c
+++ b/fs/autofs/init.c
@@ -18,6 +18,7 @@ struct file_system_type autofs_fs_type = {
 	.name		= "autofs",
 	.mount		= autofs_mount,
 	.kill_sb	= autofs_kill_sb,
+	.fs_flags	= FS_VIRTUALIZED | FS_VE_MOUNT,
 };
 MODULE_ALIAS_FS("autofs");
 MODULE_ALIAS("autofs");
diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c
index 42e5a76..d67ed08 100644
--- a/fs/devpts/inode.c
+++ b/fs/devpts/inode.c
@@ -519,7 +519,7 @@ static void devpts_kill_sb(struct super_block *sb)
 	.name		= "devpts",
 	.mount		= devpts_mount,
 	.kill_sb	= devpts_kill_sb,
-	.fs_flags	= FS_USERNS_MOUNT,
+	.fs_flags	= FS_USERNS_MOUNT | FS_VIRTUALIZED,
 };
 
 /*
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 2bde0a2..befbb08 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -6704,7 +6704,7 @@ static inline int ext3_feature_set_ok(struct super_block *sb)
 	.name		= "ext4",
 	.mount		= ext4_mount,
 	.kill_sb	= kill_block_super,
-	.fs_flags	= FS_REQUIRES_DEV | FS_ALLOW_IDMAP,
+	.fs_flags	= FS_REQUIRES_DEV | FS_ALLOW_IDMAP | FS_VIRTUALIZED,
 };
 MODULE_ALIAS_FS("ext4");
 
diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index b9beb39..5705943 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -1671,7 +1671,7 @@ static void fuse_kill_sb_anon(struct super_block *sb)
 static struct file_system_type fuse_fs_type = {
 	.owner		= THIS_MODULE,
 	.name		= "fuse",
-	.fs_flags	= FS_HAS_SUBTYPE | FS_USERNS_MOUNT,
+	.fs_flags	= FS_HAS_SUBTYPE | FS_USERNS_MOUNT | FS_VIRTUALIZED,
 	.init_fs_context = fuse_init_fs_context,
 	.parameters	= fuse_fs_parameters,
 	.kill_sb	= fuse_kill_sb_anon,
diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index b01d414..74571ad 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -2166,6 +2166,7 @@ static struct dentry *ovl_mount(struct file_system_type *fs_type, int flags,
 	.fs_flags	= FS_USERNS_MOUNT,
 	.mount		= ovl_mount,
 	.kill_sb	= kill_anon_super,
+	.fs_flags	= FS_VIRTUALIZED,
 };
 MODULE_ALIAS_FS("overlay");
 
diff --git a/fs/proc/root.c b/fs/proc/root.c
index c7e3b13..02a4a3d63 100644
--- a/fs/proc/root.c
+++ b/fs/proc/root.c
@@ -282,7 +282,7 @@ static void proc_kill_sb(struct super_block *sb)
 	.init_fs_context	= proc_init_fs_context,
 	.parameters		= proc_fs_parameters,
 	.kill_sb		= proc_kill_sb,
-	.fs_flags		= FS_USERNS_MOUNT | FS_DISALLOW_NOTIFY_PERM,
+	.fs_flags		= FS_USERNS_MOUNT | FS_DISALLOW_NOTIFY_PERM | FS_VIRTUALIZED,
 };
 
 void __init proc_root_init(void)
diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c
index 7714e1c..cfd0b25 100644
--- a/fs/sysfs/mount.c
+++ b/fs/sysfs/mount.c
@@ -93,7 +93,7 @@ static void sysfs_kill_sb(struct super_block *sb)
 	.name			= "sysfs",
 	.init_fs_context	= sysfs_init_fs_context,
 	.kill_sb		= sysfs_kill_sb,
-	.fs_flags		= FS_USERNS_MOUNT,
+	.fs_flags		= FS_USERNS_MOUNT | FS_VIRTUALIZED,
 };
 
 int __init sysfs_init(void)
diff --git a/fs/xfs/xfs_super.c b/fs/xfs/xfs_super.c
index 9820fa8..304875c 100644
--- a/fs/xfs/xfs_super.c
+++ b/fs/xfs/xfs_super.c
@@ -1888,7 +1888,7 @@ static int xfs_init_fs_context(
 	.init_fs_context	= xfs_init_fs_context,
 	.parameters		= xfs_fs_parameters,
 	.kill_sb		= kill_block_super,
-	.fs_flags		= FS_REQUIRES_DEV | FS_ALLOW_IDMAP,
+	.fs_flags		= FS_REQUIRES_DEV | FS_ALLOW_IDMAP | FS_VIRTUALIZED,
 };
 MODULE_ALIAS_FS("xfs");
 
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 1c05638..f84a592 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2471,6 +2471,7 @@ struct file_system_type {
 #define FS_ALLOW_IDMAP         32      /* FS has been updated to handle vfs idmappings. */
 #define FS_THP_SUPPORT		8192	/* Remove once all fs converted */
 
+#define FS_VIRTUALIZED		64	/* Can mount this fstype inside ve */
 #define FS_VE_MOUNT		128	/* Can be mounted in VE init userns */
 #define FS_RENAME_DOES_D_MOVE	32768	/* FS will handle d_move() during rename() internally. */
 	int (*init_fs_context)(struct fs_context *);
diff --git a/ipc/mqueue.c b/ipc/mqueue.c
index 5becca9..3177c2b3 100644
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -1672,7 +1672,7 @@ static int compat_prepare_timeout(const struct old_timespec32 __user *p,
 	.name			= "mqueue",
 	.init_fs_context	= mqueue_init_fs_context,
 	.kill_sb		= kill_litter_super,
-	.fs_flags		= FS_USERNS_MOUNT,
+	.fs_flags		= FS_USERNS_MOUNT | FS_VIRTUALIZED,
 };
 
 int mq_init_ns(struct ipc_namespace *ns)
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index 1d902b6..da0e69d 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -2261,7 +2261,7 @@ struct file_system_type cgroup_fs_type = {
 	.init_fs_context	= cgroup_init_fs_context,
 	.parameters		= cgroup1_fs_parameters,
 	.kill_sb		= cgroup_kill_sb,
-	.fs_flags		= FS_USERNS_MOUNT,
+	.fs_flags		= FS_USERNS_MOUNT | FS_VIRTUALIZED,
 };
 
 static struct file_system_type cgroup2_fs_type = {
diff --git a/mm/shmem.c b/mm/shmem.c
index dacda74..4bce396 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -3881,7 +3881,7 @@ int shmem_init_fs_context(struct fs_context *fc)
 	.parameters	= shmem_fs_parameters,
 #endif
 	.kill_sb	= kill_litter_super,
-	.fs_flags	= FS_USERNS_MOUNT | FS_THP_SUPPORT,
+	.fs_flags	= FS_USERNS_MOUNT | FS_THP_SUPPORT | FS_VIRTUALIZED,
 };
 
 int __init shmem_init(void)
-- 
1.8.3.1

