Re: [PATCH v10 0/7] proc: subset=pid: Relax check of mount visibility

Next message: Martin KaFai Lau: "Re: [PATCH v5 6/6] selftests/bpf: tc_tunnel validate decap GSO state"
Previous message: Yury Norov: "Re: [RFC PATCH v1 7/9] x86: Add unsafe_copy_from_user()"
In reply to: Christian Brauner: "Re: [PATCH v10 0/7] proc: subset=pid: Relax check of mount visibility"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Aleksa Sarai

Date: Mon Apr 27 2026 - 18:35:14 EST

On 2026-04-27, Alexey Gladkov <legion@xxxxxxxxxx> wrote:
> When mounting procfs with the subset=pids option, all static files become
> unavailable and only the dynamic part with information about pids is accessible.
>
> In this case, there is no point in imposing additional restrictions on the
> visibility of the entire filesystem for the mounter. Everything that can be
> hidden in procfs is already inaccessible.
>
> Currently, these restrictions prevent pidfs from being mounted inside rootless
> containers, as almost all container implementations override part of procfs to
> hide certain directories. Relaxing these restrictions will allow pidfs to be
> used in nested containerization.

Aside from one minor nit about invalf, looks great! Feel free to take my

Reviewed-by: Aleksa Sarai <aleksa@xxxxxxxxxxxx>

--
Aleksa Sarai
https://www.cyphar.com/

Attachment: signature.asc
Description: PGP signature