diff options
| author | Christian Brauner <brauner@kernel.org> | 2026-04-27 17:51:43 +0200 |
|---|---|---|
| committer | Christian Brauner <brauner@kernel.org> | 2026-05-11 23:13:02 +0200 |
| commit | a76640171b29fc91b9777a8e1bdc7e08db697275 (patch) | |
| tree | 50e38a655a8848ecac252f096d8111819f521733 /include/linux/fs | |
| parent | e75c21d5ad82def93bc77e9aa41c2212964a8d2f (diff) | |
| parent | c5dffafb426f927db1630140552dc11d6f76e1a6 (diff) | |
Merge patch series "proc: subset=pid: Relax check of mount visibility"
Alexey Gladkov <legion@kernel.org> says:
When mounting procfs with the subset=pids option, all static files become
unavailable and only the dynamic part with information about pids is accessible.
In this case, there is no point in imposing additional restrictions on the
visibility of the entire filesystem for the mounter. Everything that can be
hidden in procfs is already inaccessible.
Currently, these restrictions prevent procfs from being mounted inside rootless
containers, as almost all container implementations override part of procfs to
hide certain directories. Relaxing these restrictions will allow pidfs to be
used in nested containerization.
* patches from https://patch.msgid.link/cover.1777278334.git.legion@kernel.org:
docs: proc: add documentation about mount restrictions
proc: handle subset=pid separately in userns visibility checks
proc: prevent reconfiguring subset=pid
proc: subset=pid: Show /proc/self/net only for CAP_NET_ADMIN
sysfs: remove trivial sysfs_get_tree() wrapper
fs: move SB_I_USERNS_VISIBLE to FS_USERNS_MOUNT_RESTRICTED
namespace: record fully visible mounts in list
Link: https://patch.msgid.link/cover.1777278334.git.legion@kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Diffstat (limited to 'include/linux/fs')
| -rw-r--r-- | include/linux/fs/super_types.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/include/linux/fs/super_types.h b/include/linux/fs/super_types.h index 383050e7fdf5..a6cdc8f6de4e 100644 --- a/include/linux/fs/super_types.h +++ b/include/linux/fs/super_types.h @@ -326,7 +326,7 @@ struct super_block { #define SB_I_STABLE_WRITES 0x00000008 /* don't modify blks until WB is done */ /* sb->s_iflags to limit user namespace mounts */ -#define SB_I_USERNS_VISIBLE 0x00000010 /* fstype already mounted */ +#define SB_I_RESTRICTED_VARIANT 0x00000010 #define SB_I_IMA_UNVERIFIABLE_SIGNATURE 0x00000020 #define SB_I_UNTRUSTED_MOUNTER 0x00000040 #define SB_I_EVM_HMAC_UNSUPPORTED 0x00000080 |
