From: Stanislav Kinsburskiy <skinsbur...@virtuozzo.com> Disable non-virtualized file systems in containers.
This patch contains of two logical parts: 1) Filter out non-containerized filesystems output for "/proc/filesystems". 2) Forbid access to fs structure if current VE is not super and filesystem is not containerized. Signed-off-by: Konstantin Khlebnikov <khlebni...@openvz.org> Signed-off-by: Stanislav Kinsburskiy <skinsbur...@virtuozzo.com> (cherry picked from vz8 commit ac0de845e2fd4da8cc16ba710d4ae2e5dcb2bda8) Signed-off-by: Andrey Zhadchenko <andrey.zhadche...@virtuozzo.com> --- fs/filesystems.c | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/fs/filesystems.c b/fs/filesystems.c index 90b8d87..87336a9 100644 --- a/fs/filesystems.c +++ b/fs/filesystems.c @@ -17,6 +17,7 @@ #include <linux/slab.h> #include <linux/uaccess.h> #include <linux/fs_parser.h> +#include <linux/ve.h> /* * Handling of filesystem drivers list. @@ -226,6 +227,18 @@ int __init get_filesystem_list(char *buf) return len; } +#ifdef CONFIG_VE +static inline bool filesystem_permitted(const struct file_system_type *fs) +{ + return ve_is_super(get_exec_env()) || (fs->fs_flags & FS_VIRTUALIZED); +} +#else +static inline bool filesystem_permitted(const struct file_system_type *fs) +{ + return true; +} +#endif + #ifdef CONFIG_PROC_FS static int filesystems_proc_show(struct seq_file *m, void *v) { @@ -234,9 +247,11 @@ static int filesystems_proc_show(struct seq_file *m, void *v) read_lock(&file_systems_lock); tmp = file_systems; while (tmp) { - seq_printf(m, "%s\t%s\n", - (tmp->fs_flags & FS_REQUIRES_DEV) ? "" : "nodev", - tmp->name); + if (filesystem_permitted(tmp)) { + seq_printf(m, "%s\t%s\n", + (tmp->fs_flags & FS_REQUIRES_DEV) ? "" : "nodev", + tmp->name); + } tmp = tmp->next; } read_unlock(&file_systems_lock); @@ -277,7 +292,9 @@ struct file_system_type *get_fs_type(const char *name) len, name); } - if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) { + if (fs && + ((dot && !(fs->fs_flags & FS_HAS_SUBTYPE)) || + !filesystem_permitted(fs))) { put_filesystem(fs); fs = NULL; } -- 1.8.3.1 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel