On Wed, Jan 25, 2023 at 03:36:28PM -0800, Andrew Morton wrote: > On Wed, 25 Jan 2023 16:28:47 +0100 Alexey Gladkov <legion@xxxxxxxxxx> wrote: > > > The patch expands subset= option. If the proc is mounted with the > > subset=allowlist option, the /proc/allowlist file will appear. This file > > contains the filenames and directories that are allowed for this > > mountpoint. By default, /proc/allowlist contains only its own name. > > Changing the allowlist is possible as long as it is present in the > > allowlist itself. > > > > This allowlist is applied in lookup/readdir so files that will create > > modules after mounting will not be visible. > > > > Compared to the previous patches [1][2], I switched to a special virtual > > file from listing filenames in the mount options. > > > > Changlog doesn't explain why you think Linux needs this feature. The > [2/6] changelog hints that containers might be involved. IOW, please > fully describe the requirement and use-case(s). Ok. I will. Basically, as Christian described, the motivation is to give containerization programs (docker, podman, etc.) a way to control the content in procfs. Now container tools use a list of dangerous files that they hide with overmount. But procfs is not a static filesystem and using a bad list to hide dangerous files can't be the solution. I believe that a container should define a list of files that it considers useful within the container, and not try to hide what it considers unwanted. > Also, please describe why /proc/allowlist is made available via a mount > option, rather than being permanently present. Like subset=pid, this file is needed to change the visibility of files in the procfs mountpoint. > And why add to subset=, instead of a separate mount option. > > Does /proc/allowlist work in subdirectories? Like, permit presence of > /proc/sys/vm/compact_memory? Yes. But /proc/allowlist is limited in size to 128K. > I think the whole thing is misnamed, really. "allowlist" implies > access permissions. Some of the test here uses "visibility" and other > places use "presence", which are better. "presentlist" and > /proc/presentlist might be better. But why not simply /proc/contents? I don't hold on to the name allowlist at all :) present list is perfect for me. The /proc/contents is confusing to me. > Please run these patches through checkpatch and consider the result. Ok. I will. -- Rgrds, legion
