[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20210519132055.682958-1-brauner@kernel.org>
Date: Wed, 19 May 2021 15:20:55 +0200
From: Christian Brauner <brauner@...nel.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [GIT PULL] fs mount_setattr fix
/* Summary */
This simple change makes an underlying assumption more explicit. We currently
don't have any filesystems that support idmapped mounts which are mountable
inside a user namespace, i.e. where s_user_ns != init_user_ns. That was a
deliberate decision for now as userns root can just mount the filesystem
themselves.
Express this restriction explicitly and enforce it until there's a real
use-case for this. This way we can notice it and will have a chance to adapt
and audit our translation helpers and fstests appropriately if we need to
support such filesystems.
On a general note, we're seeing idmapped mounts being adopted rapidly. Since
5.12 was released systemd has already merged full support for idmapped mounts.
Discussions have kicked off for Docker/Moby, k8s, runC, and the containerd
patchset is about to be reworked. Requests for more filesystems are coming in
including btrfs and overlayfs and we're discussing fanotify making us of
idmapped mounts to implement filtered filesystems marks which will be a great
addition as well. We won't be able to please everyone's desire or design of
course but it feels like we hit the right direction with this patchset.
The following changes since commit 6efb943b8616ec53a5e444193dccf1af9ad627b5:
Linux 5.13-rc1 (2021-05-09 14:17:44 -0700)
are available in the Git repository at:
git@...olite.kernel.org:pub/scm/linux/kernel/git/brauner/linux tags/fs.idmapped.mount_setattr.v5.13-rc3
for you to fetch changes up to 2ca4dcc4909d787ee153272f7efc2bff3b498720:
fs/mount_setattr: tighten permission checks (2021-05-12 14:13:16 +0200)
/* Testing */
All patches are based on v5.13-rc1 and have been sitting in linux-next. No
build failures or warnings were observed. All fstests are passing.
/* Conflicts */
At the time of creating this PR no merge conflicts were reported from
linux-next and no merge conflicts showed up doing a test-merge with current
mainline.
Please consider pulling these changes from the signed fs.idmapped.mount_setattr.v5.13-rc3 tag.
Thanks!
Christian
----------------------------------------------------------------
fs.idmapped.mount_setattr.v5.13-rc3
----------------------------------------------------------------
Christian Brauner (1):
fs/mount_setattr: tighten permission checks
fs/namespace.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
Powered by blists - more mailing lists