Re: [Devel] Fwd: [PATCH] fuse: allow to mount if process is in init_user_ns

Tue, 13 Jun 2017 03:02:48 -0700 


13.06.2017 11:53, Kirill Tkhai пишет:

On 09.06.2017 16:27, Stanislav Kinsburskiy wrote:

Kirill, please, review.



-------- Перенаправленное сообщение --------
Тема:   [Devel] [PATCH] fuse: allow to mount if process is in init_user_ns
Дата:   Fri, 9 Jun 2017 17:09:49 +0400
От:     Stanislav Kinsburskiy <skinsbur...@virtuozzo.com>
Кому:   devel@openvz.org
Копия:  kt...@virtuozzo.com



Regardless its current VE.

Could you please to write why we need this patch?

  


Sure.

The initial restriction was to prevent FUSE mount in non-init user 
namespace.

Commit 8c6e51363 broke this logic, and this patch bring it back.

Why it's needed: SPFS (NFS migration engine) now works outside 
container, but due to restore architecture it belongs to non-root VE.
I.e. it works in "init" namespaces environment, but in container VE and 
this patch allows it to mount FUSE.



https://jira.sw.ru/browse/PSBM-67185

Signed-off-by: Stanislav Kinsburskiy <skinsbur...@virtuozzo.com>
---
  fs/fuse/inode.c |    3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index 090a7ab..a8d7924 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -1211,7 +1211,8 @@ static int fuse_fill_super(struct super_block *sb, void 
*data, int silent)
                goto err;

  
  	if ((file->f_op != &fuse_dev_operations) ||

-           (file->f_cred->user_ns != ve_init_user_ns()))
+           ((file->f_cred->user_ns != &init_user_ns) &&
+            (file->f_cred->user_ns != ve_init_user_ns())))
                goto err_fput;

  
  	fc = kmalloc(sizeof(*fc), GFP_KERNEL);


_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel



_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel






















					Reply via email to