Quoting Miklos Szeredi (miklos@xxxxxxxxxx): > From: Miklos Szeredi <mszeredi@xxxxxxx> > > If CLONE_NEWNS and CLONE_NEWNS_USERMNT are given to clone(2) or > unshare(2), then allow user mounts within the new namespace. > > This is not flexible enough, because user mounts can't be enabled for > the initial namespace. > > The remaining clone bits also getting dangerously few... > > Alternatives are: > > - prctl() flag > - setting through the containers filesystem Sorry, I know I had mentioned it, but this is definately my least favorite approach. Curious whether are any other suggestions/opinions from the containers list? thanks, -serge > Signed-off-by: Miklos Szeredi <mszeredi@xxxxxxx> > --- > > Index: linux/fs/namespace.c > =================================================================== > --- linux.orig/fs/namespace.c 2007-04-12 13:46:19.000000000 +0200 > +++ linux/fs/namespace.c 2007-04-12 13:54:36.000000000 +0200 > @@ -1617,6 +1617,8 @@ struct mnt_namespace *copy_mnt_ns(int fl > return ns; > > new_ns = dup_mnt_ns(ns, new_fs); > + if (new_ns && (flags & CLONE_NEWNS_USERMNT)) > + new_ns->flags |= MNT_NS_PERMIT_USERMOUNTS; > > put_mnt_ns(ns); > return new_ns; > Index: linux/include/linux/sched.h > =================================================================== > --- linux.orig/include/linux/sched.h 2007-04-12 13:26:48.000000000 +0200 > +++ linux/include/linux/sched.h 2007-04-12 13:54:36.000000000 +0200 > @@ -26,6 +26,7 @@ > #define CLONE_STOPPED 0x02000000 /* Start in stopped state */ > #define CLONE_NEWUTS 0x04000000 /* New utsname group? */ > #define CLONE_NEWIPC 0x08000000 /* New ipcs */ > +#define CLONE_NEWNS_USERMNT 0x10000000 /* Allow user mounts in ns? */ > > /* > * Scheduling policies > Index: linux/kernel/fork.c > =================================================================== > --- linux.orig/kernel/fork.c 2007-04-11 18:27:46.000000000 +0200 > +++ linux/kernel/fork.c 2007-04-12 13:59:10.000000000 +0200 > @@ -1586,7 +1586,7 @@ asmlinkage long sys_unshare(unsigned lon > err = -EINVAL; > if (unshare_flags & ~(CLONE_THREAD|CLONE_FS|CLONE_NEWNS|CLONE_SIGHAND| > CLONE_VM|CLONE_FILES|CLONE_SYSVSEM| > - CLONE_NEWUTS|CLONE_NEWIPC)) > + CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWNS_USERMNT)) > goto bad_unshare_out; > > if ((err = unshare_thread(unshare_flags))) > > -- > - > To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html - To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
