Mounting from non-init user namespaces for filesystems without FS_USERNS_MOUNT was prohibited by commit e1c5ae59c0f22.
The new flag FS_VE_MOUNT was introduced in commit c0e4e73052f89 to allow mounting such filesystems inside container user namespaces. v2,v3: allow mounting in a cantainer's init userns for filesystems with FS_INIT_CT_MOUNT v4: fix typo v5: no changes https://virtuozzo.atlassian.net/browse/VSTOR-105978 Signed-off-by: Aleksei Oladko <[email protected]> --- fs/super.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/fs/super.c b/fs/super.c index 93b125ebd4e3..faf37790544e 100644 --- a/fs/super.c +++ b/fs/super.c @@ -770,6 +770,7 @@ struct super_block *sget_fc(struct fs_context *fc, struct super_block *s = NULL; struct super_block *old; struct user_namespace *user_ns = fc->global ? &init_user_ns : fc->user_ns; + struct cred *cred = get_exec_env()->init_cred; int err; /* @@ -779,8 +780,10 @@ struct super_block *sget_fc(struct fs_context *fc, * an fs_fd opened in another user namespace. */ if (user_ns != &init_user_ns && !(fc->fs_type->fs_flags & FS_USERNS_MOUNT)) { - errorfc(fc, "VFS: Mounting from non-initial user namespace is not allowed"); - return ERR_PTR(-EPERM); + if (!cred || !(cred->user_ns == user_ns && fc->fs_type->fs_flags & FS_VE_MOUNT)) { + errorfc(fc, "VFS: Mounting from non-initial user namespace is not allowed"); + return ERR_PTR(-EPERM); + } } retry: -- 2.43.0 _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
