[Devel] [PATCH RHEL COMMIT] fs/ve: add new FS_VE_MOUNT flag to allow mount in container init userns
Konstantin Khorenko
khorenko at virtuozzo.com
Fri Sep 24 15:48:44 MSK 2021
The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit b866a59b58e1f58480b61ab4041690a470a11325
Author: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Date: Fri Sep 24 15:48:44 2021 +0300
fs/ve: add new FS_VE_MOUNT flag to allow mount in container init userns
This patch is a part of vz7 commit 4e8e69eb16b1 ("fs/ve: add new
FS_VE_MOUNT flag to allow mount in container init userns")
Some filesystems are allowed to be mounted only in init userns in
mainstream/rh kernel. And some of those we still would like to mount in
Containers (like NFS, overlayfs) - thus in not-init userns.
We do check if particular filesystem is virtualized enough (or
implement missing virtualization), but still we would like to mimic
mainstream behavior and allow to mount those filesystems only in root
userns for Containers (not in every nested userns).
Thus introduce a new fs_flag to allow mounting the FS in root userns of
a Container.
https://jira.sw.ru/browse/PSBM-121284
mFixes: f6264f72dc29 ("ve/fs: check mount SYS_ADMIN permission in current
VE")
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
khorenko@: rebase to RHEL8.4 notes:
- check for FS_VE_MOUNT has been moved from sget_userns() to
mount_capable()
(cherry picked from vz8 commit 8c5f10f248f81426c6adcc0e40737adb8d78f19d)
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
fs/super.c | 6 +++++-
include/linux/fs.h | 2 ++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/fs/super.c b/fs/super.c
index d9ca3f5406bd..c72159ea66fa 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -39,6 +39,7 @@
#include <linux/fs_context.h>
#include <linux/ve.h>
#include <uapi/linux/mount.h>
+#include <linux/ve.h>
#include "internal.h"
static int thaw_super_locked(struct super_block *sb);
@@ -487,7 +488,10 @@ EXPORT_SYMBOL(generic_shutdown_super);
bool mount_capable(struct fs_context *fc)
{
if (!(fc->fs_type->fs_flags & FS_USERNS_MOUNT))
- return capable(CAP_SYS_ADMIN);
+ /* FS_VE_MOUNT allows mount in container init userns */
+ return capable(CAP_SYS_ADMIN) ||
+ ((fc->fs_type->fs_flags & FS_VE_MOUNT) &&
+ ve_capable(CAP_SYS_ADMIN));
else
return ns_capable(fc->user_ns, CAP_SYS_ADMIN);
}
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 1c1e29a59084..57a6ce644214 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2475,6 +2475,8 @@ struct file_system_type {
#define FS_DISALLOW_NOTIFY_PERM 16 /* Disable fanotify permission events */
#define FS_ALLOW_IDMAP 32 /* FS has been updated to handle vfs idmappings. */
#define FS_THP_SUPPORT 8192 /* Remove once all fs converted */
+
+#define FS_VE_MOUNT 128 /* Can be mounted in VE init userns */
#define FS_RENAME_DOES_D_MOVE 32768 /* FS will handle d_move() during rename() internally. */
int (*init_fs_context)(struct fs_context *);
const struct fs_parameter_spec *parameters;
More information about the Devel
mailing list