On Mon, 11 Jul 2022 at 19:48, Dave Marchevsky <davemarchevsky@xxxxxx> wrote: > > Since commit 73f03c2b4b52 ("fuse: Restrict allow_other to the > superblock's namespace or a descendant"), access to allow_other FUSE > filesystems has been limited to users in the mounting user namespace or > descendants. This prevents a process that is privileged in its userns - > but not its parent namespaces - from mounting a FUSE fs w/ allow_other > that is accessible to processes in parent namespaces. > > While this restriction makes sense overall it breaks a legitimate > usecase: I have a tracing daemon which needs to peek into > process' open files in order to symbolicate - similar to 'perf'. The > daemon is a privileged process in the root userns, but is unable to peek > into FUSE filesystems mounted by processes in child namespaces. > > This patch adds a module param, allow_sys_admin_access, to act as an > escape hatch for this descendant userns logic and for the allow_other > mount option in general. Setting allow_sys_admin_access allows > processes with CAP_SYS_ADMIN in the initial userns to access FUSE > filesystems irrespective of the mounting userns or whether allow_other > was set. A sysadmin setting this param must trust FUSEs on the host to > not DoS processes as described in 73f03c2b4b52. > > Signed-off-by: Dave Marchevsky <davemarchevsky@xxxxxx> > Reviewed-by: Christian Brauner (Microsoft) <brauner@xxxxxxxxxx> Applied, thanks. Miklos