[Devel] [PATCH vz10 v3 1/2] fs: allow non-init s_user_ns for filesystems with FS_VE_MOUNT

[Aleksei Oladko]

Mounting from non-init user namespaces for filesystems without
FS_USERNS_MOUNT was prohibited by commit e1c5ae59c0f22.

The new flag FS_VE_MOUNT was introduced in commit c0e4e73052f89
to allow mounting such filesystems inside container user
namespaces.

v2,v3: allow mounting in a cantainer's init userns for
filesystems with FS_INIT_CT_MOUNT

https://virtuozzo.atlassian.net/browse/VSTOR-105978

Signed-off-by: Aleksei Oladko <aleksey.oladko at virtuozzo.com>
---
 fs/super.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/fs/super.c b/fs/super.c
index 93b125ebd4e3..b1c5315be1cc 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -770,6 +770,7 @@ struct super_block *sget_fc(struct fs_context *fc,
 	struct super_block *s = NULL;
 	struct super_block *old;
 	struct user_namespace *user_ns = fc->global ? &init_user_ns : fc->user_ns;
+	struct cred *cred = get_exec_env()->init_cred;
 	int err;
 
 	/*
@@ -779,8 +780,10 @@ struct super_block *sget_fc(struct fs_context *fc,
 	 * an fs_fd opened in another user namespace.
 	 */
 	if (user_ns != &init_user_ns && !(fc->fs_type->fs_flags & FS_USERNS_MOUNT)) {
-		errorfc(fc, "VFS: Mounting from non-initial user namespace is not allowed");
-		return ERR_PTR(-EPERM);
+		if (!cred || !(cred->user_ns == user_ns && fc->fs_type->fs_flags & FS_VE_MOUNT))
+			errorfc(fc, "VFS: Mounting from non-initial user namespace is not allowed");
+			return ERR_PTR(-EPERM);
+		}
 	}
 
 retry:
-- 
2.43.0