| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJqdLrp-LMVNng0F2xx1C0BtYvcidokZm6_tdssE+Z57v+tpqA@mail.gmail.com>
Date: Tue, 3 Feb 2026 17:45:13 +0100
From: Alexander Mikhalitsyn <alexander@...alicyn.com>
To: Christian Brauner <brauner@...nel.org>
Cc: Jeff Layton <jlayton@...nel.org>, Trond Myklebust <trondmy@...nel.org>,
Anna Schumaker <anna@...nel.org>, Alexander Viro <viro@...iv.linux.org.uk>, Jan Kara <jack@...e.cz>,
"Seth Forshee (DigitalOcean)" <sforshee@...nel.org>, linux-nfs@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH] vfs: add FS_USERNS_DELEGATABLE flag and set it for NFS
Am Di., 3. Feb. 2026 um 17:41 Uhr schrieb Christian Brauner
<brauner@...nel.org>:
>
> On Tue, Feb 03, 2026 at 11:21:25AM -0500, Jeff Layton wrote:
> > On Tue, 2026-02-03 at 17:11 +0100, Alexander Mikhalitsyn wrote:
> > > Am Do., 29. Jan. 2026 um 22:48 Uhr schrieb Jeff Layton <jlayton@...nel.org>:
> > > >
> > > > Commit e1c5ae59c0f2 ("fs: don't allow non-init s_user_ns for filesystems
> > > > without FS_USERNS_MOUNT") prevents the mount of any filesystem inside a
> > > > container that doesn't have FS_USERNS_MOUNT set.
> > > >
> > >
> > > Hi Jeff,
> > >
> > > > This broke NFS mounts in our containerized environment. We have a daemon
> > > > somewhat like systemd-mountfsd running in the init_ns. A process does a
> > > > fsopen() inside the container and passes it to the daemon via unix
> > > > socket.
> > > >
> > > > The daemon then vets that the request is for an allowed NFS server and
> > > > performs the mount. This now fails because the fc->user_ns is set to the
> > > > value in the container and NFS doesn't set FS_USERNS_MOUNT. We don't
> > > > want to add FS_USERNS_MOUNT to NFS since that would allow the container
> > > > to mount any NFS server (even malicious ones).
> > > >
> > > > Add a new FS_USERNS_DELEGATABLE flag, and enable it on NFS.
> > >
> > > Great idea, very similar to what we have with BPFFS/BPF Tokens.
> > >
> > > Taking into account this patch, shouldn't we drop FS_USERNS_MOUNT and
> > > replace it with
> > > FS_USERNS_DELEGATABLE for bpffs too?
> > >
> > > I mean something like:
> > >
> > > ======================
> > > $ git diff
> > > diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c
> > > index 9f866a010dad..d8dfdc846bd0 100644
> > > --- a/kernel/bpf/inode.c
> > > +++ b/kernel/bpf/inode.c
> > > @@ -1009,10 +1009,6 @@ static int bpf_fill_super(struct super_block
> > > *sb, struct fs_context *fc)
> > > struct inode *inode;
> > > int ret;
> > >
> > > - /* Mounting an instance of BPF FS requires privileges */
> > > - if (fc->user_ns != &init_user_ns && !capable(CAP_SYS_ADMIN))
> > > - return -EPERM;
> > > -
> > > ret = simple_fill_super(sb, BPF_FS_MAGIC, bpf_rfiles);
> > > if (ret)
> > > return ret;
> > > @@ -1085,7 +1081,7 @@ static struct file_system_type bpf_fs_type = {
> > > .init_fs_context = bpf_init_fs_context,
> > > .parameters = bpf_fs_parameters,
> > > .kill_sb = bpf_kill_super,
> > > - .fs_flags = FS_USERNS_MOUNT,
> > > + .fs_flags = FS_USERNS_DELEGATABLE,
> > > };
> > >
> > > static int __init bpf_init(void)
> > > ======================
> > >
> > > Because it feels like we were basically implementing this FS_USERNS_DELEGATABLE
> > > flag implicitly for BPFFS before. I can submit a patch for BPFFS later
> > > after testing.
>
> Can you send that to the list, please?
Sure, I'll do that a bit later! I'm still in Brussels ;-)
> Thanks!
Powered by blists - more mailing lists