[Devel] [PATCH RH9 18/33] fs/ve: add new FS_VE_MOUNT flag to allow mount in container init userns

Thu, 23 Sep 2021 16:10:36 -0700 

From: Stanislav Kinsburskiy <skinsbur...@virtuozzo.com>

This patch is a part of vz7 commit 4e8e69eb16b1 ("fs/ve: add new
FS_VE_MOUNT flag to allow mount in container init userns")

Some filesystems are allowed to be mounted only in init userns in
mainstream/rh kernel. And some of those we still would like to mount in
Containers (like NFS, overlayfs) - thus in not-init userns.

We do check if particular filesystem is virtualized enough (or
implement missing virtualization), but still we would like to mimic
mainstream behavior and allow to mount those filesystems only in root
userns for Containers (not in every nested userns).

Thus introduce a new fs_flag to allow mounting the FS in root userns of
a Container.

https://jira.sw.ru/browse/PSBM-121284

mFixes: f6264f72dc29 ("ve/fs: check mount SYS_ADMIN permission in current
VE")

Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com>
Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>

khorenko@: rebase to RHEL8.4 notes:
- check for FS_VE_MOUNT has been moved from sget_userns() to
  mount_capable()

(cherry picked from vz8 commit 8c5f10f248f81426c6adcc0e40737adb8d78f19d)
Signed-off-by: Andrey Zhadchenko <andrey.zhadche...@virtuozzo.com>
---
 fs/super.c         | 6 +++++-
 include/linux/fs.h | 2 ++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/fs/super.c b/fs/super.c
index 45e6e73..71a18c2 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -39,6 +39,7 @@
 #include <linux/fs_context.h>
 #include <linux/ve.h>
 #include <uapi/linux/mount.h>
+#include <linux/ve.h>
 #include "internal.h"
 
 static int thaw_super_locked(struct super_block *sb);
@@ -487,7 +488,10 @@ void generic_shutdown_super(struct super_block *sb)
 bool mount_capable(struct fs_context *fc)
 {
        if (!(fc->fs_type->fs_flags & FS_USERNS_MOUNT))
-               return capable(CAP_SYS_ADMIN);
+               /* FS_VE_MOUNT allows mount in container init userns */
+               return capable(CAP_SYS_ADMIN) ||
+                      ((fc->fs_type->fs_flags & FS_VE_MOUNT) &&
+                       ve_capable(CAP_SYS_ADMIN));
        else
                return ns_capable(fc->user_ns, CAP_SYS_ADMIN);
 }
diff --git a/include/linux/fs.h b/include/linux/fs.h
index bf45b4a..1c05638 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2470,6 +2470,8 @@ struct file_system_type {
 #define FS_DISALLOW_NOTIFY_PERM        16      /* Disable fanotify permission 
events */
 #define FS_ALLOW_IDMAP         32      /* FS has been updated to handle vfs 
idmappings. */
 #define FS_THP_SUPPORT         8192    /* Remove once all fs converted */
+
+#define FS_VE_MOUNT            128     /* Can be mounted in VE init userns */
 #define FS_RENAME_DOES_D_MOVE  32768   /* FS will handle d_move() during 
rename() internally. */
        int (*init_fs_context)(struct fs_context *);
        const struct fs_parameter_spec *parameters;
-- 
1.8.3.1

_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to