From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm@xmission.com (Eric W. Biederman) Subject: Re: [REVIEW][PATCH 3/3] vfs: Fix a regression in mounting proc Date: Tue, 26 Nov 2013 21:00:02 -0800 Message-ID: <87li0atp65.fsf@xmission.com> References: <20131115164123.GN28794@redhat.com> <20131116164840.GA4441@mail.hallyn.com> <20131117030653.GA7670@mail.hallyn.com> <20131118031932.GA17621@mail.hallyn.com> <52899D09.5080202@cn.fujitsu.com> <20131118140830.GA22075@mail.hallyn.com> <20131118180134.GA24156@mail.hallyn.com> <87k3g5gnuv.fsf@xmission.com> <20131126181043.GA25492@mail.hallyn.com> <87siui1z1g.fsf_-_@xmission.com> <87pppmzoin.fsf_-_@xmission.com> <529564AA.8050100@cn.fujitsu.com> Mime-Version: 1.0 Content-Type: text/plain Cc: "Serge E. Hallyn" , Containers , linux-fsdevel@vger.kernel.org, Aditya Kali , Oleg Nesterov , Andy Lutomirski To: Gao feng Return-path: Received: from out01.mta.xmission.com ([166.70.13.231]:40645 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750772Ab3K0FAM (ORCPT ); Wed, 27 Nov 2013 00:00:12 -0500 In-Reply-To: <529564AA.8050100@cn.fujitsu.com> (Gao feng's message of "Wed, 27 Nov 2013 11:19:06 +0800") Sender: linux-fsdevel-owner@vger.kernel.org List-ID: Gao feng writes: > On 11/27/2013 08:17 AM, Eric W. Biederman wrote: >> >> Gao feng reported that commit >> e51db73532955dc5eaba4235e62b74b460709d5b >> userns: Better restrictions on when proc and sysfs can be mounted >> caused a regression on mounting a new instance of proc in a mount >> namespace created with user namespace privileges, when binfmt_misc >> is mounted on /proc/sys/fs/binfmt_misc. >> >> This is an unintended regression caused by the absolutely bogus empty >> directory check in fs_fully_visible. The check fs_fully_visible replaced >> didn't even bother to attempt to verify proc was fully visible and >> hiding proc files with any kind of mount is rare. So for now fix >> the userspace regression by allowing directory with nlink == 1 >> as /proc/sys/fs/binfmt_misc has. >> >> I will have a better patch but it is not stable material, or >> last minute kernel material. So it will have to wait. >> >> Cc: stable@vger.kernel.org >> Signed-off-by: "Eric W. Biederman" >> --- >> fs/namespace.c | 2 +- >> 1 files changed, 1 insertions(+), 1 deletions(-) >> >> diff --git a/fs/namespace.c b/fs/namespace.c >> index ac2ce8a766e1..be32ebccdeb1 100644 >> --- a/fs/namespace.c >> +++ b/fs/namespace.c >> @@ -2886,7 +2886,7 @@ bool fs_fully_visible(struct file_system_type *type) >> struct inode *inode = child->mnt_mountpoint->d_inode; >> if (!S_ISDIR(inode->i_mode)) >> goto next; >> - if (inode->i_nlink != 2) >> + if (inode->i_nlink > 2) >> goto next; >> } >> visible = true; >> > > As a quick fix. > > Acked-by: Gao feng > Tested-by: Gao feng > > looking forward to your following patch. :) I might have to be prodded. Sometimes it looks easy and sometimes I go ick locking craziness. Once I am done sorting out the regressions I plan on focusing on the mount issues between namespaces. Eric