[Devel] [PATCH RHEL COMMIT] VE/FS: containerize filesystems access

Konstantin Khorenko khorenko at virtuozzo.com
Fri Sep 24 15:48:45 MSK 2021 

The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit 06b7bc416506df5eaf1c60cce432f4bd1c65d7a0
Author: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
Date:   Fri Sep 24 15:48:45 2021 +0300

    VE/FS: containerize filesystems access
    
    Disable non-virtualized file systems in containers.
    
    This patch contains of two logical parts:
    
    1) Filter out non-containerized filesystems output for
    "/proc/filesystems".
    2) Forbid access to fs structure if current VE is not super and filesystem
    is not containerized.
    
    Signed-off-by: Konstantin Khlebnikov <khlebnikov at openvz.org>
    
    Signed-off-by: Stanislav Kinsburskiy <skinsbursky at virtuozzo.com>
    
    (cherry picked from vz8 commit ac0de845e2fd4da8cc16ba710d4ae2e5dcb2bda8)
    Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
 fs/filesystems.c | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/fs/filesystems.c b/fs/filesystems.c
index 90b8d879fbaf..87336a9c8104 100644
--- a/fs/filesystems.c
+++ b/fs/filesystems.c
@@ -17,6 +17,7 @@
 #include <linux/slab.h>
 #include <linux/uaccess.h>
 #include <linux/fs_parser.h>
+#include <linux/ve.h>
 
 /*
  * Handling of filesystem drivers list.
@@ -226,6 +227,18 @@ int __init get_filesystem_list(char *buf)
 	return len;
 }
 
+#ifdef CONFIG_VE
+static inline bool filesystem_permitted(const struct file_system_type *fs)
+{
+	return ve_is_super(get_exec_env()) || (fs->fs_flags & FS_VIRTUALIZED);
+}
+#else
+static inline bool filesystem_permitted(const struct file_system_type *fs)
+{
+	return true;
+}
+#endif
+
 #ifdef CONFIG_PROC_FS
 static int filesystems_proc_show(struct seq_file *m, void *v)
 {
@@ -234,9 +247,11 @@ static int filesystems_proc_show(struct seq_file *m, void *v)
 	read_lock(&file_systems_lock);
 	tmp = file_systems;
 	while (tmp) {
-		seq_printf(m, "%s\t%s\n",
-			(tmp->fs_flags & FS_REQUIRES_DEV) ? "" : "nodev",
-			tmp->name);
+		if (filesystem_permitted(tmp)) {
+			seq_printf(m, "%s\t%s\n",
+				(tmp->fs_flags & FS_REQUIRES_DEV) ? "" : "nodev",
+				tmp->name);
+		}
 		tmp = tmp->next;
 	}
 	read_unlock(&file_systems_lock);
@@ -277,7 +292,9 @@ struct file_system_type *get_fs_type(const char *name)
 				     len, name);
 	}
 
-	if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
+	if (fs &&
+	    ((dot && !(fs->fs_flags & FS_HAS_SUBTYPE)) ||
+	     !filesystem_permitted(fs))) {
 		put_filesystem(fs);
 		fs = NULL;
 	}

More information about the Devel mailing list