[RHEL8,COMMIT] ve/fs/namespace: allow submounts in non-init userns

Submitted by Konstantin Khorenko on March 19, 2021, 10:43 a.m.

Details

Message ID 202103191043.12JAhoDc904324@finist-co8.sw.ru
State New
Series "Series without cover letter"
Headers show

Commit Message

Konstantin Khorenko March 19, 2021, 10:43 a.m.
The commit is pushed to "branch-rh8-4.18.0-240.1.1.vz8.5.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-240.1.1.vz8.5.8
------>
commit 81a2b734416d18df45090b5185f137fd35598ab7
Author: Konstantin Khorenko <khorenko@virtuozzo.com>
Date:   Tue Jul 3 13:28:43 2018 +0300

    ve/fs/namespace: allow submounts in non-init userns
    
    Simple NFS mount inside a Container brings us to vfs_submount(), so if
    we want to enable NFS inside a Container (read - in CT root userns), we
    have to soften the check for init userns.
    
    SyS_mount
     do_mount
      vfs_kern_mount
       mount_fs
        nfs_fs_mount
         nfs4_try_mount
          nfs_follow_remote_path
           mount_subtree
            vfs_path_lookup
             do_path_lookup
              filename_lookup
               path_lookupat
                lookup_slow
                 follow_managed
                  nfs_d_automount
                   nfs4_submount
                    nfs_do_submount
                     vfs_submount
    
    https://jira.sw.ru/browse/PSBM-86277
    Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
    
    https://jira.sw.ru/browse/PSBM-127234
    (cherry picked from vz7 commit bc060d46276144f91a139b7d0acf384dcd0a4dde)
    
    vz7->vz8 port note: in vz7 the check has been dropped at all
    in vz8 we leave the check, but allow submounts only for root CT userns.
    
    Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
    Reviewed-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
---
 fs/namespace.c | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/fs/namespace.c b/fs/namespace.c
index ecd4a56e21ad..ecf2909a8cd0 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -987,7 +987,30 @@  vfs_submount(const struct dentry *mountpoint, struct file_system_type *type,
 	 * through from the parent mount to the submount don't support
 	 * unprivileged mounts with submounts.
 	 */
-	if (mountpoint->d_sb->s_user_ns != &init_user_ns)
+	/* Simple NFS mount inside a Container brings us here, so if we want to
+	 * enable NFS inside a Container (read - in CT root userns), we have
+	 * to soften the check.
+	 *
+	 *  SyS_mount
+	 *   do_mount
+	 *    vfs_kern_mount
+	 *     mount_fs
+	 *      nfs_fs_mount
+	 *       nfs4_try_mount
+	 *        nfs_follow_remote_path
+	 *         mount_subtree
+	 *	    vfs_path_lookup
+	 *	     do_path_lookup
+	 *	      filename_lookup
+	 *	       path_lookupat
+	 *	        lookup_slow
+	 *	         follow_managed
+	 *	          nfs_d_automount
+	 *	           nfs4_submount
+	 *		    nfs_do_submount
+	 *		     vfs_submount
+	 */
+	if (mountpoint->d_sb->s_user_ns != ve_init_user_ns())
 		return ERR_PTR(-EPERM);
 
 	return vfs_kern_mount(type, SB_SUBMOUNT, name, data);