diff options
| -rw-r--r-- | fs/namespace.c | 17 | ||||
| -rw-r--r-- | fs/proc/root.c | 3 | ||||
| -rw-r--r-- | include/linux/fs/super_types.h | 1 |
3 files changed, 20 insertions, 1 deletions
diff --git a/fs/namespace.c b/fs/namespace.c index e6e58117c778..9a66a806a9b8 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -6353,10 +6353,18 @@ static bool mnt_already_visible(struct mnt_namespace *ns, guard(namespace_shared)(); hlist_for_each_entry(mnt, &ns->mnt_visible_mounts, mnt_ns_visible) { + const struct super_block *sb_visible = mnt->mnt.mnt_sb; struct mount *child; int mnt_flags; - if (mnt->mnt.mnt_sb->s_type != sb->s_type) + if (sb_visible->s_type != sb->s_type) + continue; + + /* + * Restricted variants are not compatible with anything, even + * other restricted variants. + */ + if (sb_visible->s_iflags & SB_I_RESTRICTED_VARIANT) continue; /* A local view of the mount flags */ @@ -6418,6 +6426,13 @@ static bool mount_too_revealing(const struct super_block *sb, int *new_mnt_flags return true; } + /* + * Restricted variants don't need an already visible mount because they + * don't expose the full filesystem view. + */ + if (s_iflags & SB_I_RESTRICTED_VARIANT) + return false; + return !mnt_already_visible(ns, sb, new_mnt_flags); } diff --git a/fs/proc/root.c b/fs/proc/root.c index 1bf75a4ee146..99adddfeb4a4 100644 --- a/fs/proc/root.c +++ b/fs/proc/root.c @@ -275,6 +275,9 @@ static int proc_fill_super(struct super_block *s, struct fs_context *fc) s->s_time_gran = 1; s->s_fs_info = fs_info; + if (fs_info->pidonly == PROC_PIDONLY_ON) + s->s_iflags |= SB_I_RESTRICTED_VARIANT; + /* * procfs isn't actually a stacking filesystem; however, there is * too much magic going on inside it to permit stacking things on diff --git a/include/linux/fs/super_types.h b/include/linux/fs/super_types.h index 182efbeb9520..a6cdc8f6de4e 100644 --- a/include/linux/fs/super_types.h +++ b/include/linux/fs/super_types.h @@ -326,6 +326,7 @@ struct super_block { #define SB_I_STABLE_WRITES 0x00000008 /* don't modify blks until WB is done */ /* sb->s_iflags to limit user namespace mounts */ +#define SB_I_RESTRICTED_VARIANT 0x00000010 #define SB_I_IMA_UNVERIFIABLE_SIGNATURE 0x00000020 #define SB_I_UNTRUSTED_MOUNTER 0x00000040 #define SB_I_EVM_HMAC_UNSUPPORTED 0x00000080 |