Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp497765pxf; Wed, 10 Mar 2021 10:22:08 -0800 (PST) X-Google-Smtp-Source: ABdhPJxXc3UVQAr1m9VcmObzVH9qobRZHYDCIL6CooZRdk3r7s7sID06HWIHeElwcD2jh7/VsQ8N X-Received: by 2002:a50:fc94:: with SMTP id f20mr4791870edq.370.1615400528283; Wed, 10 Mar 2021 10:22:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615400528; cv=none; d=google.com; s=arc-20160816; b=jVnhE6Ub0fPSIez2XdjT6CidYMv1RqiYR+1gVi0RsgNkW6HwucHI1j3KLdMrpbKN/O 4/3JSDrXBTndPh3zC1Ez/O2Ejwwmq8PMEmQRIgzYzr889BJ39X+EkN6MvhQ2mePQs7XG C4lmhcxK0uGGvL7PSpo0tt5wLNCsZJJ2RgbD61lTCSMCUoCMdnkbZdO0NltI6NG+MyvG x1CqOe/TbcRiqdI2QrhlETCqp4baHLW39B5iFT3eBdAimerFXXgrrJQ312RRhs+gFNYe GbM4ps6w2OxIxo1QHx+oYQIpu2sxIWMpPudAN0hrbdU0Wl59KetYO3bJQP2f/UtbLJXp JdRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=qNHxJhQfJv2a1vMEV/rJ80gypTs313H/KthjrXqegP8=; b=hjRIfVIO7QqyhmHQhs+o/5ZJRGqXil+JesOvnXNZLwasxzuLcL7UOC/anMlUZ0ZTuO 8u2jRWl0yG/pHEhoxMkHMGzQkN9Gh3jAGTqZ2WJrOCuHFK4mzv3sQ0Q7//0ZHVInw/0k 3cTlFiJQgVtKmm69Ze2z7V6MkG5c0gbw4Ro+n5UEH67zxjhXuGROaRPCH4MJaL/SXgxd ltqS1LGXBJzNsCe6ro4lx6c1fybmzA0VFPsMxxPN2Oy2I5y2M9RSjwMnzFegxvwuZahB s00az9X6C2XlDzTFnZO2VW2ewO6cvM4SB95rCtO+cSj0GivVcYPBwW0GQGCWTQO8zL0p lxLg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n3si81622ejz.565.2021.03.10.10.21.46; Wed, 10 Mar 2021 10:22:08 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233714AbhCJSUq (ORCPT + 99 others); Wed, 10 Mar 2021 13:20:46 -0500 Received: from raptor.unsafe.ru ([5.9.43.93]:56466 "EHLO raptor.unsafe.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232790AbhCJSUU (ORCPT ); Wed, 10 Mar 2021 13:20:20 -0500 Received: from comp-core-i7-2640m-0182e6.redhat.com (ip-94-113-225-162.net.upcbroadband.cz [94.113.225.162]) by raptor.unsafe.ru (Postfix) with ESMTPSA id 677E940CE4; Wed, 10 Mar 2021 18:20:16 +0000 (UTC) From: Alexey Gladkov To: LKML , "Eric W . Biederman" Cc: Alexey Gladkov , Alexander Viro , Kees Cook , Linux Containers , Linux FS Devel Subject: [PATCH v5 0/5] proc: Relax check of mount visibility Date: Wed, 10 Mar 2021 19:19:55 +0100 Message-Id: X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.4 (raptor.unsafe.ru [0.0.0.0]); Wed, 10 Mar 2021 18:20:19 +0000 (UTC) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If only the dynamic part of procfs is mounted (subset=pid), then there is no need to check if procfs is fully visible to the user in the new user namespace. Changelog --------- v4: * Set SB_I_DYNAMIC only if pidonly is set. * Add an error message if subset=pid is canceled during remount. v3: * Add 'const' to struct cred *mounter_cred (fix kernel test robot warning). v2: * cache the mounters credentials and make access to the net directories contingent of the permissions of the mounter of procfs. -- Alexey Gladkov (5): docs: proc: add documentation about mount restrictions proc: Show /proc/self/net only for CAP_NET_ADMIN proc: Disable cancellation of subset=pid option proc: Relax check of mount visibility docs: proc: add documentation about relaxing visibility restrictions Documentation/filesystems/proc.rst | 18 ++++++++++++++++++ fs/namespace.c | 27 ++++++++++++++++----------- fs/proc/proc_net.c | 8 ++++++++ fs/proc/root.c | 25 +++++++++++++++++++------ include/linux/fs.h | 1 + include/linux/proc_fs.h | 1 + 6 files changed, 63 insertions(+), 17 deletions(-) -- 2.29.2