Some full-OS container software bind mounts debugfs into containers to
satisfy the assumptions of older userspaces which expect to be able to
mount debugfs. This regressed in 4.1 due to the addition of tracefs,
which gets automounted in the tracing subdirectory of debugfs. In a
cloned mount namespace the bind mount now fails because the tracefs
mount is a locked child of the debugfs mount.

For new mounts we already make an exception to the "locked child mount"
rule. Directories in psuedo filesystems created for the sole purpose of
being mountpoints are created as permanently empty directories which can
never contain any entries, therefore the kernel can know than any mounts
on these directories are not for security purposes. These mounts are
then excluded from locked mount tests in some circumstances.

The same logic clearly applies to directories created in
debugfs_create_automount(). The following patches update this function
to create permanently empty directories for mountpoints and adds an
exclusion to the tests for bind mounts to exclude child mounts on
permanently empty directories.

Thanks,
Seth

Seth Forshee (2):
  fs: Allow bind mounts with locked children on permaenetly empty
    directories
  debugfs: Make automount point inodes permanently empty

 fs/debugfs/inode.c | 2 +-
 fs/namespace.c     | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

Reply via email to