If only the dynamic part of procfs is mounted (subset=pid), then there is no need to check if procfs is fully visible to the user in the new user namespace. Changelog --------- v3: * Add 'const' to struct cred *mounter_cred (fix kernel test robot warning). v2: * cache the mounters credentials and make access to the net directories contingent of the permissions of the mounter of procfs. Alexey Gladkov (2): proc: Relax check of mount visibility Show /proc/self/net only for CAP_NET_ADMIN fs/namespace.c | 27 ++++++++++++++++----------- fs/proc/proc_net.c | 8 ++++++++ fs/proc/root.c | 21 +++++++++++++++------ include/linux/fs.h | 1 + include/linux/proc_fs.h | 1 + 5 files changed, 41 insertions(+), 17 deletions(-) -- 2.25.4
