diff options
| author | Jeff Layton <jlayton@kernel.org> | 2026-01-29 16:47:43 -0500 |
|---|---|---|
| committer | Christian Brauner <brauner@kernel.org> | 2026-06-09 17:17:29 +0200 |
| commit | c5d6cac28646b0d5d81ef632be748ae93c1f36c7 (patch) | |
| tree | 20ddcef800b43722459e18621faf6c4bd2ff87fa /drivers/platform/wmi/tests/git@git.tavy.me:linux.git | |
| parent | 4bbcff264b678859cc404669bd145bcd6819804b (diff) | |
vfs: add FS_USERNS_DELEGATABLE flag and set it for NFS
Commit e1c5ae59c0f2 ("fs: don't allow non-init s_user_ns for filesystems
without FS_USERNS_MOUNT") prevents the mount of any filesystem inside a
container that doesn't have FS_USERNS_MOUNT set.
This broke NFS mounts in our containerized environment. We have a daemon
somewhat like systemd-mountfsd running in the init_ns. A process does a
fsopen() inside the container and passes it to the daemon via unix
socket.
The daemon then vets that the request is for an allowed NFS server and
performs the mount. This now fails because the fc->user_ns is set to the
value in the container and NFS doesn't set FS_USERNS_MOUNT. We don't
want to add FS_USERNS_MOUNT to NFS since that would allow the container
to mount any NFS server (even malicious ones).
Add a new FS_USERNS_DELEGATABLE flag, and enable it on NFS.
Fixes: e1c5ae59c0f2 ("fs: don't allow non-init s_user_ns for filesystems without FS_USERNS_MOUNT")
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Link: https://patch.msgid.link/20260129-twmount-v1-1-4874ed2a15c4@kernel.org
Acked-by: Anna Schumaker <anna.schumaker@oracle.com>
Reviewed-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@futurfusion.io>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Christian Brauner (Amutable) <brauner@kernel.org>
Diffstat (limited to 'drivers/platform/wmi/tests/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions