[Devel] fuse: allow to mount if process is in init_user_ns

Submitted by Stanislav Kinsburskiy on June 9, 2017, 1:09 p.m.

Details

Message ID 20170609130944.27317.69793.stgit@localhost.localdomain
State New
Series "fuse: allow to mount if process is in init_user_ns"
Headers show

Commit Message

Stanislav Kinsburskiy June 9, 2017, 1:09 p.m.
Regardless its current VE.

https://jira.sw.ru/browse/PSBM-67185

Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
---
 fs/fuse/inode.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Patch hide | download patch | download mbox

diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index 090a7ab..a8d7924 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -1211,7 +1211,8 @@  static int fuse_fill_super(struct super_block *sb, void *data, int silent)
 		goto err;
 
 	if ((file->f_op != &fuse_dev_operations) ||
-	    (file->f_cred->user_ns != ve_init_user_ns()))
+	    ((file->f_cred->user_ns != &init_user_ns) &&
+	     (file->f_cred->user_ns != ve_init_user_ns())))
 		goto err_fput;
 
 	fc = kmalloc(sizeof(*fc), GFP_KERNEL);

Comments

Stanislav Kinsburskiy June 13, 2017, 9:58 a.m.
13.06.2017 11:53, Kirill Tkhai пишет:
> On 09.06.2017 16:27, Stanislav Kinsburskiy wrote:
>> Kirill, please, review.
>>
>>
>>
>> -------- Перенаправленное сообщение --------
>> Тема: 	[Devel] [PATCH] fuse: allow to mount if process is in init_user_ns
>> Дата: 	Fri, 9 Jun 2017 17:09:49 +0400
>> От: 	Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
>> Кому: 	devel@openvz.org
>> Копия: 	kthai@virtuozzo.com
>>
>>
>>
>> Regardless its current VE.
> Could you please to write why we need this patch?
>   

Sure.
The initial restriction was to prevent FUSE mount in non-init user 
namespace.
Commit 8c6e51363 broke this logic, and this patch bring it back.
Why it's needed: SPFS (NFS migration engine) now works outside 
container, but due to restore architecture it belongs to non-root VE.
I.e. it works in "init" namespaces environment, but in container VE and 
this patch allows it to mount FUSE.

>> https://jira.sw.ru/browse/PSBM-67185
>>
>> Signed-off-by: Stanislav Kinsburskiy <skinsbursky@virtuozzo.com>
>> ---
>>   fs/fuse/inode.c |    3 ++-
>>   1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
>> index 090a7ab..a8d7924 100644
>> --- a/fs/fuse/inode.c
>> +++ b/fs/fuse/inode.c
>> @@ -1211,7 +1211,8 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent)
>>   		goto err;
>>   
>>   	if ((file->f_op != &fuse_dev_operations) ||
>> -	    (file->f_cred->user_ns != ve_init_user_ns()))
>> +	    ((file->f_cred->user_ns != &init_user_ns) &&
>> +	     (file->f_cred->user_ns != ve_init_user_ns())))
>>   		goto err_fput;
>>   
>>   	fc = kmalloc(sizeof(*fc), GFP_KERNEL);
>>
>> _______________________________________________
>> Devel mailing list
>> Devel@openvz.org
>> https://lists.openvz.org/mailman/listinfo/devel
>>