On Wed, Mar 10, 2021 at 07:19:55PM +0100, Alexey Gladkov wrote: > If only the dynamic part of procfs is mounted (subset=pid), then there is no > need to check if procfs is fully visible to the user in the new user namespace. I'm sorry about that unfinished patch set. Please ignore it. > Changelog > --------- > v4: > * Set SB_I_DYNAMIC only if pidonly is set. > * Add an error message if subset=pid is canceled during remount. > > v3: > * Add 'const' to struct cred *mounter_cred (fix kernel test robot warning). > > v2: > * cache the mounters credentials and make access to the net directories > contingent of the permissions of the mounter of procfs. > > -- > > Alexey Gladkov (5): > docs: proc: add documentation about mount restrictions > proc: Show /proc/self/net only for CAP_NET_ADMIN > proc: Disable cancellation of subset=pid option > proc: Relax check of mount visibility > docs: proc: add documentation about relaxing visibility restrictions > > Documentation/filesystems/proc.rst | 18 ++++++++++++++++++ > fs/namespace.c | 27 ++++++++++++++++----------- > fs/proc/proc_net.c | 8 ++++++++ > fs/proc/root.c | 25 +++++++++++++++++++------ > include/linux/fs.h | 1 + > include/linux/proc_fs.h | 1 + > 6 files changed, 63 insertions(+), 17 deletions(-) > > -- > 2.29.2 > -- Rgrds, legion _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
