Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx): > > Gao feng <gaofeng@xxxxxxxxxxxxxx> reported that commit > e51db73532955dc5eaba4235e62b74b460709d5b > userns: Better restrictions on when proc and sysfs can be mounted > caused a regression on mounting a new instance of proc in a mount > namespace created with user namespace privileges, when binfmt_misc > is mounted on /proc/sys/fs/binfmt_misc. > > This is an unintended regression caused by the absolutely bogus empty > directory check in fs_fully_visible. The check fs_fully_visible replaced > didn't even bother to attempt to verify proc was fully visible and > hiding proc files with any kind of mount is rare. So for now fix > the userspace regression by allowing directory with nlink == 1 > as /proc/sys/fs/binfmt_misc has. > > I will have a better patch but it is not stable material, or > last minute kernel material. So it will have to wait. > > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> Thanks, Eric, this should make user namespaces useful again for containers. Acked-by: Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx> > --- > fs/namespace.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/fs/namespace.c b/fs/namespace.c > index ac2ce8a766e1..be32ebccdeb1 100644 > --- a/fs/namespace.c > +++ b/fs/namespace.c > @@ -2886,7 +2886,7 @@ bool fs_fully_visible(struct file_system_type *type) > struct inode *inode = child->mnt_mountpoint->d_inode; > if (!S_ISDIR(inode->i_mode)) > goto next; > - if (inode->i_nlink != 2) > + if (inode->i_nlink > 2) > goto next; > } > visible = true; > -- > 1.7.5.4 _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers