[Devel] [PATCH vz10 v2 1/2] fs: allow non-init s_user_ns for filesystems with FS_VE_MOUNT

[Aleksei Oladko]

Mounting from non-init user namespaces for filesystems without
FS_USERNS_MOUNT was prohibited by commit e1c5ae59c0f22.

The new flag FS_VE_MOUNT was introduced in commit c0e4e73052f89
to allow mounting such filesystems inside container user
namespaces.

v2: added user_ns check

https://virtuozzo.atlassian.net/browse/VSTOR-105978

Signed-off-by: Aleksei Oladko <aleksey.oladko at virtuozzo.com>
---
 fs/super.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/fs/super.c b/fs/super.c
index 93b125ebd4e3..5cdd1b28ac9f 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -770,6 +770,7 @@ struct super_block *sget_fc(struct fs_context *fc,
 	struct super_block *s = NULL;
 	struct super_block *old;
 	struct user_namespace *user_ns = fc->global ? &init_user_ns : fc->user_ns;
+	struct cred *cred = get_exec_env()->init_cred;
 	int err;
 
 	/*
@@ -779,8 +780,11 @@ struct super_block *sget_fc(struct fs_context *fc,
 	 * an fs_fd opened in another user namespace.
 	 */
 	if (user_ns != &init_user_ns && !(fc->fs_type->fs_flags & FS_USERNS_MOUNT)) {
-		errorfc(fc, "VFS: Mounting from non-initial user namespace is not allowed");
-		return ERR_PTR(-EPERM);
+		if (!cred || (cred->user_ns != user_ns &&
+		    !(fc->fs_type->fs_flags & FS_USERNS_MOUNT))) {
+			errorfc(fc, "VFS: Mounting from non-initial user namespace is not allowed");
+			return ERR_PTR(-EPERM);
+		}
 	}
 
 retry:
-- 
2.43.0