From patchwork Fri Nov 29 22:07:52 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Serge E. Hallyn" X-Patchwork-Id: 295531 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 40D472C00C3 for ; Sat, 30 Nov 2013 09:08:05 +1100 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1VmWEC-0000GY-2S; Fri, 29 Nov 2013 22:08:00 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1VmWE7-0000GD-JC for kernel-team@lists.ubuntu.com; Fri, 29 Nov 2013 22:07:55 +0000 Received: from c-71-239-248-29.hsd1.il.comcast.net ([71.239.248.29] helo=sergelap) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1VmWE7-0002Dt-7r for kernel-team@lists.ubuntu.com; Fri, 29 Nov 2013 22:07:55 +0000 Date: Fri, 29 Nov 2013 16:07:52 -0600 From: Serge Hallyn To: kernel-team@lists.ubuntu.com Subject: [ebiederm@xmission.com: [REVIEW][PATCH 3/3] vfs: Fix a regression in mounting proc] Message-ID: <20131129220752.GB16889@sergelap> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com Hi, This is the second patch needed in trusty's kernel for containers. It is in https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/log/?h=for-next (and I assume linux-next). This fixes a regression recently introduced which prevents using user namespaces for containers. ----- Forwarded message from "Eric W. Biederman" ----- Date: Tue, 26 Nov 2013 16:17:36 -0800 From: "Eric W. Biederman" To: "Serge E. Hallyn" Cc: Gao feng , Containers , linux-fsdevel@vger.kernel.org, Aditya Kali , Oleg Nesterov , Andy Lutomirski Subject: [REVIEW][PATCH 3/3] vfs: Fix a regression in mounting proc Gao feng reported that commit e51db73532955dc5eaba4235e62b74b460709d5b userns: Better restrictions on when proc and sysfs can be mounted caused a regression on mounting a new instance of proc in a mount namespace created with user namespace privileges, when binfmt_misc is mounted on /proc/sys/fs/binfmt_misc. This is an unintended regression caused by the absolutely bogus empty directory check in fs_fully_visible. The check fs_fully_visible replaced didn't even bother to attempt to verify proc was fully visible and hiding proc files with any kind of mount is rare. So for now fix the userspace regression by allowing directory with nlink == 1 as /proc/sys/fs/binfmt_misc has. I will have a better patch but it is not stable material, or last minute kernel material. So it will have to wait. Cc: stable@vger.kernel.org Signed-off-by: "Eric W. Biederman" --- fs/namespace.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index ac2ce8a766e1..be32ebccdeb1 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -2886,7 +2886,7 @@ bool fs_fully_visible(struct file_system_type *type) struct inode *inode = child->mnt_mountpoint->d_inode; if (!S_ISDIR(inode->i_mode)) goto next; - if (inode->i_nlink != 2) + if (inode->i_nlink > 2) goto next; } visible = true;