On 11/5/25 17:22, Aleksei Oladko wrote: > Mounting from non-init user namespaces for filesystems without > FS_USERNS_MOUNT was prohibited by commit e1c5ae59c0f22. > > The new flag FS_VE_MOUNT was introduced in commit c0e4e73052f89 > to allow mounting such filesystems inside container user > namespaces. > > https://virtuozzo.atlassian.net/browse/VSTOR-105978 > > Signed-off-by: Aleksei Oladko <[email protected]> > --- > fs/super.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/super.c b/fs/super.c > index 93b125ebd4e3..b8da7df103b3 100644 > --- a/fs/super.c > +++ b/fs/super.c > @@ -778,7 +778,8 @@ struct super_block *sget_fc(struct fs_context *fc, > * This can happen when fsconfig() is called from init_user_ns with > * an fs_fd opened in another user namespace. > */ > - if (user_ns != &init_user_ns && !(fc->fs_type->fs_flags & > FS_USERNS_MOUNT)) { > + if (user_ns != &init_user_ns && !(fc->fs_type->fs_flags & > FS_USERNS_MOUNT || > + fc->fs_type->fs_flags & FS_VE_MOUNT)) { /* FS_VE_MOUNT allows mount in container init userns */ So we probably want this case: user_ns == get_exec_env()->init_cred->user_ns && fc->fs_type->fs_flags & FS_VE_MOUNT to be allowed. What do you think? > errorfc(fc, "VFS: Mounting from non-initial user namespace is > not allowed"); > return ERR_PTR(-EPERM); > } -- Best regards, Pavel Tikhomirov Senior Software Developer, Virtuozzo. _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
