[Devel] [PATCH RHEL7 COMMIT] fs/ve: add new FS_VE_MOUNT flag to allow mount in container init userns

Tue, 20 Oct 2020 06:24:15 -0700 

The commit is pushed to "branch-rh7-3.10.0-1127.18.2.vz7.163.x-ovz" and will 
appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1127.18.2.vz7.163.39
------>
commit 4e8e69eb16b143f21e583c370ae860c81a76bd17
Author: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
Date:   Tue Oct 20 12:20:22 2020 +0300

    fs/ve: add new FS_VE_MOUNT flag to allow mount in container init userns
    
    Use this for overlayfs and remove FS_USERNS_MOUNT for it as we wan't
    overlayfs mounts in container to mimic overlayfs mounts on host, and
    thus they can only be mounted in init userns of container.
    
    https://jira.sw.ru/browse/PSBM-121284
    
    Fixes: 71dd847047f6 ("ve/fs/overlay: allow overlayfs to be used inside a
    Container")
    
    Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
    
    Reviewed-by: Konstantin Khorenko <khore...@virtuozzo.com>
---
 fs/overlayfs/super.c | 4 ++--
 fs/super.c           | 5 ++++-
 include/linux/fs.h   | 1 +
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
index d17276d..46b8207 100644
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -1588,8 +1588,8 @@ static struct file_system_type ovl_fs_type = {
        .name           = "overlay",
        .mount          = ovl_mount,
        .kill_sb        = kill_anon_super,
-       .fs_flags       = FS_HAS_DOPS_WRAPPER |
-                         FS_VIRTUALIZED | FS_USERNS_MOUNT,
+       .fs_flags       = FS_HAS_DOPS_WRAPPER | FS_VIRTUALIZED |
+                         FS_VE_MOUNT,
 };
 MODULE_ALIAS_FS("overlay");
 
diff --git a/fs/super.c b/fs/super.c
index 1cf377a..cdb061e 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -510,7 +510,10 @@ struct super_block *sget_userns(struct file_system_type 
*type,
 
        if (!(flags & (MS_KERNMOUNT|MS_SUBMOUNT)) &&
            !(type->fs_flags & FS_USERNS_MOUNT) &&
-           !capable(CAP_SYS_ADMIN))
+           !capable(CAP_SYS_ADMIN) &&
+           /* FS_VE_MOUNT allows mount in container init userns */
+           !((type->fs_flags & FS_VE_MOUNT) &&
+              ve_capable(CAP_SYS_ADMIN)))
                return ERR_PTR(-EPERM);
 retry:
        spin_lock(&sb_lock);
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 55a92ce..969a041 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2312,6 +2312,7 @@ struct file_system_type {
 #define FS_HAS_SUBTYPE         4
 #define FS_USERNS_MOUNT                8       /* Can be mounted by userns 
root */
 #define FS_VIRTUALIZED         64      /* Can mount this fstype inside ve */
+#define FS_VE_MOUNT            128     /* Can be mounted by ve-init userns 
root */
 #define FS_HAS_RM_XQUOTA       256     /* KABI: fs has the rm_xquota quota op 
*/
 #define FS_HAS_INVALIDATE_RANGE        512     /* FS has new ->invalidatepage 
with length arg */
 #define FS_HAS_DIO_IODONE2     1024    /* KABI: fs supports new iodone */
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to