[Devel] [PATCH RHEL10 COMMIT] fs: allow init Container user_ns to mount filesystems with FS_VE_MOUNT

Fri, 21 Nov 2025 04:26:00 -0800 

The commit is pushed to "branch-rh10-6.12.0-55.13.1.2.x.vz10-ovz" and will 
appear at [email protected]:openvz/vzkernel.git
after rh10-6.12.0-55.13.1.2.20.vz10
------>
commit 8f43275725b5143ccd90ebed31f5c81a6bc75ce3
Author: Aleksei Oladko <[email protected]>
Date:   Thu Nov 20 12:44:11 2025 +0000

    fs: allow init Container user_ns to mount filesystems with FS_VE_MOUNT
    
    Mounting from non-init user namespaces for filesystems without
    FS_USERNS_MOUNT was prohibited by maintream commit
      e1c5ae59c0f22 ("fs: don't allow non-init s_user_ns for filesystems without
                      FS_USERNS_MOUNT").
    
    The new flag FS_VE_MOUNT was introduced in commit
      c0e4e73052f89 ("fs/ve: add new FS_VE_MOUNT flag to allow mount in 
container
                      init userns")
    to allow mounting such filesystems inside init container user namespaces.
    
    https://virtuozzo.atlassian.net/browse/VSTOR-105978
    
    Signed-off-by: Aleksei Oladko <[email protected]>
    Reviewed-by: Pavel Tikhomirov <[email protected]>
    
    Feature: fs: whiltelist what can be mounted in a CT
    
    ======
    Patchset description:
    cgroup/devices: Fix missing permission
    
    This fixes an issue in the cgroup device controller where device access
    checks were not enforced if he cgroup filesystem was already mounted
    before. As a result, processes could bypass device access
    restrictions.
---
 fs/super.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/fs/super.c b/fs/super.c
index 93b125ebd4e36..faf37790544e6 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -770,6 +770,7 @@ struct super_block *sget_fc(struct fs_context *fc,
        struct super_block *s = NULL;
        struct super_block *old;
        struct user_namespace *user_ns = fc->global ? &init_user_ns : 
fc->user_ns;
+       struct cred *cred = get_exec_env()->init_cred;
        int err;
 
        /*
@@ -779,8 +780,10 @@ struct super_block *sget_fc(struct fs_context *fc,
         * an fs_fd opened in another user namespace.
         */
        if (user_ns != &init_user_ns && !(fc->fs_type->fs_flags & 
FS_USERNS_MOUNT)) {
-               errorfc(fc, "VFS: Mounting from non-initial user namespace is 
not allowed");
-               return ERR_PTR(-EPERM);
+               if (!cred || !(cred->user_ns == user_ns && 
fc->fs_type->fs_flags & FS_VE_MOUNT)) {
+                       errorfc(fc, "VFS: Mounting from non-initial user 
namespace is not allowed");
+                       return ERR_PTR(-EPERM);
+               }
        }
 
 retry:
_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to