[PATCH RFC] allow some kernel filesystems to be mounted in a usernamespace

From: Serge Hallyn
Date: Tue Jul 16 2013 - 15:29:34 EST


All the files will be owned by host root, so there's no security
concern in allowing this.

(These are mounted by default by mountall, and if permission is
denied then by default container boot will hang)

Signed-off-by: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx>
---
fs/debugfs/inode.c | 1 +
fs/fuse/control.c | 1 +
security/inode.c | 1 +
3 files changed, 3 insertions(+)

diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
index 4888cb3..8632432 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -298,6 +298,7 @@ static struct file_system_type debug_fs_type = {
.name = "debugfs",
.mount = debug_mount,
.kill_sb = kill_litter_super,
+ .fs_flags = FS_USERNS_MOUNT,
};
MODULE_ALIAS_FS("debugfs");

diff --git a/fs/fuse/control.c b/fs/fuse/control.c
index a0b0855..4991441 100644
--- a/fs/fuse/control.c
+++ b/fs/fuse/control.c
@@ -340,6 +340,7 @@ static struct file_system_type fuse_ctl_fs_type = {
.name = "fusectl",
.mount = fuse_ctl_mount,
.kill_sb = fuse_ctl_kill_sb,
+ .fs_flags = FS_USERNS_MOUNT,
};
MODULE_ALIAS_FS("fusectl");

diff --git a/security/inode.c b/security/inode.c
index 43ce6e1..ec18abd 100644
--- a/security/inode.c
+++ b/security/inode.c
@@ -49,6 +49,7 @@ static struct file_system_type fs_type = {
.name = "securityfs",
.mount = get_sb,
.kill_sb = kill_litter_super,
+ .fs_flags = FS_USERNS_MOUNT,
};

/**
--
1.8.3.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/