Greetings! Preface ------- This patch set can be applied over: git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace.git d35bec8a5788 Overview -------- Directories and files can be created and deleted by dynamically loaded modules. Not all of these files are virtualized and safe inside the container. However, subset=pid is not enough because many containers wants to have /proc/meminfo, /proc/cpuinfo, etc. We need a way to limit the visibility of files per procfs mountpoint. Introduced changes ------------------ Allow to specify the names of files and directories in the subset= parameter and thereby make a whitelist of top-level permitted names. Alexey Gladkov (2): proc: use subset option to hide some top-level procfs entries docs: proc: update documentation about subset= parameter Documentation/filesystems/proc.rst | 6 +++ fs/proc/base.c | 15 +++++- fs/proc/generic.c | 75 +++++++++++++++++++++------ fs/proc/inode.c | 18 ++++--- fs/proc/internal.h | 12 +++++ fs/proc/root.c | 81 ++++++++++++++++++++++++------ include/linux/proc_fs.h | 11 ++-- 7 files changed, 175 insertions(+), 43 deletions(-) -- 2.25.4
