If only the dynamic part of procfs is mounted (subset=pid), then there is no need to check if procfs is fully visible to the user in the new user namespace. Changelog --------- v4: * Set SB_I_DYNAMIC only if pidonly is set. * Add an error message if subset=pid is canceled during remount. v3: * Add 'const' to struct cred *mounter_cred (fix kernel test robot warning). v2: * cache the mounters credentials and make access to the net directories contingent of the permissions of the mounter of procfs. -- Alexey Gladkov (5): docs: proc: add documentation about mount restrictions proc: Show /proc/self/net only for CAP_NET_ADMIN proc: Disable cancellation of subset=pid option proc: Relax check of mount visibility docs: proc: add documentation about relaxing visibility restrictions Documentation/filesystems/proc.rst | 18 ++++++++++++++++++ fs/namespace.c | 27 ++++++++++++++++----------- fs/proc/proc_net.c | 8 ++++++++ fs/proc/root.c | 25 +++++++++++++++++++------ include/linux/fs.h | 1 + include/linux/proc_fs.h | 1 + 6 files changed, 63 insertions(+), 17 deletions(-) -- 2.29.2
