If only the dynamic part of procfs is mounted (subset=pid), then there is no need to check if procfs is fully visible to the user in the new user namespace. Changelog --------- v4: * Set SB_I_DYNAMIC only if pidonly is set. * Add an error message if subset=pid is canceled during remount. v3: * Add 'const' to struct cred *mounter_cred (fix kernel test robot warning). v2: * cache the mounters credentials and make access to the net directories contingent of the permissions of the mounter of procfs. -- Alexey Gladkov (3): proc: Relax check of mount visibility proc: Show /proc/self/net only for CAP_NET_ADMIN proc: Disable cancellation of subset=pid option fs/namespace.c | 27 ++++++++++++++++----------- fs/proc/proc_net.c | 8 ++++++++ fs/proc/root.c | 29 ++++++++++++++++++++++------- include/linux/fs.h | 1 + include/linux/proc_fs.h | 1 + 5 files changed, 48 insertions(+), 18 deletions(-) -- 2.25.4
