From nobody Thu Apr 2 20:28:07 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AFB63353EDB; Fri, 13 Feb 2026 10:44:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770979488; cv=none; b=rX5fd2aRS0ZhLNhH+9P7kRt+VCSBsBnSrPG8mtLNBbgWnbom0VsscmkHG8V4Krjkzk7hEZ2jTQzoMeIjEuSseyYCIkTq34P0nz56ajA/L1mROneyYBtsmo/u6hYCnVBae8wVocJKuoCnABBMtSW4HBhMdtb+xPcssUD+GCfY9iQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770979488; c=relaxed/simple; bh=LpgbViYueVfs8znDGiGm/oh4caXky7ehWf+alC0Sk7c=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Toz1rhiE/ZqMM3raZVxs1seHdl1Am0ui9W+WANPFCMAuOObBAjr4mzY7+ocYZPaHxVuM+x4CkLndW7O6K5w64BqKMjMLfXhdWU8tKdrySg3746fN+OJDD2EkIF2xKJejhLUHT2KAVhTAW9xLP+zFc282pceVA8YuN77s7r0Uv3Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=eEhY8TjU; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="eEhY8TjU" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A7353C4AF09; Fri, 13 Feb 2026 10:44:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1770979488; bh=LpgbViYueVfs8znDGiGm/oh4caXky7ehWf+alC0Sk7c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=eEhY8TjUTmLFtA8f763ww2my/jgDgDJfIzvXY/7RMR8CEjtGqAtm6rnRqDjCZB/jE PlxfiZrxwoBRux5oASg5MBzvuWuFuzTTWcKLvKbZNg2z+g72Cezz/KnGdf1ACZhC/T acl0rjpnm0JOTP5iXaYdlPxATCNvGbmyCt0XN2ZU/VrGnYAWrF//Uo6FXb+o9Lzoy3 yLxyc134uWJKgYn3+d3ecrGbC9KgD4oOKqa6pu/MFAa4K/80xip+dDF4dT9Gl69jdF UADi2mb2JaCaqmpKdQa09CaIoCcQnHN0pdJDs9YYdyE00RZNugs0YhY6h61oWLHe9s YLekbm9Dr0R6A== From: Alexey Gladkov To: Christian Brauner , Dan Klishch Cc: Al Viro , "Eric W . Biederman" , Kees Cook , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v8 1/5] docs: proc: add documentation about mount restrictions Date: Fri, 13 Feb 2026 11:44:26 +0100 Message-ID: <654e021422520a7b25df0cc8591b7643519585fa.1770979341.git.legion@kernel.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" procfs has a number of mounting restrictions that are not documented anywhere. Signed-off-by: Alexey Gladkov --- Documentation/filesystems/proc.rst | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Documentation/filesystems/proc.rst b/Documentation/filesystems= /proc.rst index 8256e857e2d7..c8864fcbdec7 100644 --- a/Documentation/filesystems/proc.rst +++ b/Documentation/filesystems/proc.rst @@ -52,6 +52,7 @@ fixes/update part 1.1 Stefani Seibold June 9 2009 =20 4 Configuring procfs 4.1 Mount options + 4.2 Mount restrictions =20 5 Filesystem behavior =20 @@ -2410,6 +2411,19 @@ will use the calling process's active pid namespace.= Note that the pid namespace of an existing procfs instance cannot be modified (attempting to= do so will give an `-EBUSY` error). =20 +4.2 Mount restrictions +-------------------------- + +If user namespaces are in use, the kernel additionally checks the instance= s of +procfs available to the mounter and will not allow procfs to be mounted if: + + 1. This mount is not fully visible. + + a. It's root directory is not the root directory of the filesystem. + b. If any file or non-empty procfs directory is hidden by another mou= nt. + + 2. A new mount overrides the readonly option or any option from atime fa= milty. + Chapter 5: Filesystem behavior =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D =20 --=20 2.53.0 From nobody Thu Apr 2 20:28:07 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B70AF3542C3; Fri, 13 Feb 2026 10:44:50 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770979490; cv=none; b=eS4hMiP6GNsz1afxGQI2jU2BPsrq6f8vRIitQFYO8FWYsWq2sSdu8gRw/X2odKSVJdnRLgaNvEGKpNAjj+IxSkUHFQpxqWtrAsp1W1OiFlgkLBC++FEMicpGgtmQZnH733FCrIZKkbeQLOABrKj0K/SArvLBOVR7x4n12LVaJ3c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770979490; c=relaxed/simple; bh=kpXfv1aQjmRM7Lisa9SQR+o6ZN41NjPHRd8/uCOz0mA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PbCvygkvp3Vy6G1Di9ylIRnd4ouUxihKEm0abkIL+VxBvq9L27F9fDmP+dwYJUeJD9bYYY71jnRNOT7ue8aOOShnREqoEjqgF/H/9BUd9Bpz9BY1AbnvGDlUgwY8eFETp5rDu8p4IXMsR4cMavGLec1YPcFQKpVhBIi0bRUtDx4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=CJnjD40A; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="CJnjD40A" Received: by smtp.kernel.org (Postfix) with ESMTPSA id BCD0AC16AAE; Fri, 13 Feb 2026 10:44:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1770979490; bh=kpXfv1aQjmRM7Lisa9SQR+o6ZN41NjPHRd8/uCOz0mA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CJnjD40AgaXOaFd2bB3q+hhoLOS7vWRMoLrKTwdz6g7aDZe1E48kbxJQgtAlhsC1D KaZRQ1JaeyEaZAV3MV24Z2x4k2jHBI7MqMv9O0AOGiqxgAk8lAxRCHM2wVrKnX4hoE +H9m9Z6hZIP2J88prwda4mJ2TsrF+vX7kRsjqAeJEgPUMP73P7HP/IsLEiFSaehydr qfeF5ropfWFfOnT6B9JWg13kBmbaOmhtDvapThmWfiNKqnWlb/ucjjpzbZ42ZgR0CU 056TURduuQmvC9m4W6hY84cjeSZtRDva6ENfXUGMZsYV76Up7GiWN38/sjP9rMZVt/ P6DfLmco3Ttig== From: Alexey Gladkov To: Christian Brauner , Dan Klishch Cc: Al Viro , "Eric W . Biederman" , Kees Cook , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v8 2/5] proc: subset=pid: Show /proc/self/net only for CAP_NET_ADMIN Date: Fri, 13 Feb 2026 11:44:27 +0100 Message-ID: <624eb242fab38fd01589fb5cb51c65617620be89.1770979341.git.legion@kernel.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Cache the mounters credentials and allow access to the net directories contingent of the permissions of the mounter of proc. Do not show /proc/self/net when proc is mounted with subset=3Dpid option and the mounter does not have CAP_NET_ADMIN. To avoid inadvertently allowing access to /proc//net, updating mounter credentials is not supported. Signed-off-by: Alexey Gladkov --- fs/proc/proc_net.c | 8 ++++++++ fs/proc/root.c | 2 ++ include/linux/proc_fs.h | 1 + 3 files changed, 11 insertions(+) diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c index 52f0b75cbce2..6e0ccef0169f 100644 --- a/fs/proc/proc_net.c +++ b/fs/proc/proc_net.c @@ -23,6 +23,7 @@ #include #include #include +#include =20 #include "internal.h" =20 @@ -270,6 +271,7 @@ static struct net *get_proc_task_net(struct inode *dir) struct task_struct *task; struct nsproxy *ns; struct net *net =3D NULL; + struct proc_fs_info *fs_info =3D proc_sb_info(dir->i_sb); =20 rcu_read_lock(); task =3D pid_task(proc_pid(dir), PIDTYPE_PID); @@ -282,6 +284,12 @@ static struct net *get_proc_task_net(struct inode *dir) } rcu_read_unlock(); =20 + if (net && (fs_info->pidonly =3D=3D PROC_PIDONLY_ON) && + security_capable(fs_info->mounter_cred, net->user_ns, CAP_NET_ADMIN, = CAP_OPT_NONE) < 0) { + put_net(net); + net =3D NULL; + } + return net; } =20 diff --git a/fs/proc/root.c b/fs/proc/root.c index d8ca41d823e4..c4af3a9b1a44 100644 --- a/fs/proc/root.c +++ b/fs/proc/root.c @@ -254,6 +254,7 @@ static int proc_fill_super(struct super_block *s, struc= t fs_context *fc) return -ENOMEM; =20 fs_info->pid_ns =3D get_pid_ns(ctx->pid_ns); + fs_info->mounter_cred =3D get_cred(fc->cred); proc_apply_options(fs_info, fc, current_user_ns()); =20 /* User space would break if executables or devices appear on proc */ @@ -350,6 +351,7 @@ static void proc_kill_sb(struct super_block *sb) kill_anon_super(sb); if (fs_info) { put_pid_ns(fs_info->pid_ns); + put_cred(fs_info->mounter_cred); kfree_rcu(fs_info, rcu); } } diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h index 19d1c5e5f335..ec123c277d49 100644 --- a/include/linux/proc_fs.h +++ b/include/linux/proc_fs.h @@ -67,6 +67,7 @@ enum proc_pidonly { struct proc_fs_info { struct pid_namespace *pid_ns; kgid_t pid_gid; + const struct cred *mounter_cred; enum proc_hidepid hide_pid; enum proc_pidonly pidonly; struct rcu_head rcu; --=20 2.53.0 From nobody Thu Apr 2 20:28:07 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DEEA4354AC7; Fri, 13 Feb 2026 10:44:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770979492; cv=none; b=qQBrxC2mxoEQVcj3aRoIWZHrYQNayrKi31ndNhhH5WFKt+UVuDN0ZoFbCWQXzFx7rah0JCLSdaLfvB2B9d7gRQSm8s2JGIgEaAhO03387ITkuDg2HvFYUIcpaGm04JjuU8+N2fmMU8s7s8xVC55m8LtJRf6wS71QjlYjqRuvTN0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770979492; c=relaxed/simple; bh=mwQQgljy62m4eK+PIfpSlj2KKV74LnDLIugSpu0zBCc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=tMXv1W9Y2B1iq4Dj/9uEYsfcL3kwCc1gVuWSCE6SqWSAHckTwM9hJkADHcNAlYKqySNw1I2NBI474h1LRizrtXTYx/jjqJldhqmxn7CV0FHWkStynDTZBNQCeRx6qbqMA+JcUwYSrYJE6usFCVSDr25YVcm63BfuXwmDT+Hcboo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=lJXX14Jp; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="lJXX14Jp" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D2834C116C6; Fri, 13 Feb 2026 10:44:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1770979492; bh=mwQQgljy62m4eK+PIfpSlj2KKV74LnDLIugSpu0zBCc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lJXX14JpR2+HCi4NfMunPJR3uZsaaWcbWnb3XCOYGVyW5Y9XhA8fH1GyeoM1TQMqO Z1imj/2oJjlA4wqxRniPMX335Vi79Neh8WCh7v9yk3ceM5OU5d25uQdEArMdBcGT/E DLkg98UFuLqVXZvJRioKUa09CxBBJNzZH7u2+uA+Zl9WtrKzQmZi65F5I4/i3NNff/ dnotyaNDtjRFqmULVR2sWHwRfUJ/t4eRWkT5Kz7XcbBX+P5PHVVnp4JRzwSk4g07CK fEWs7kkGppVKfCVTebaNV2qzzbVtkRZWGtAcZtiA5jKfZLt9Jn9v/Uj5/wtF0pUvVv jJYDlzjvMiCCg== From: Alexey Gladkov To: Christian Brauner , Dan Klishch Cc: Al Viro , "Eric W . Biederman" , Kees Cook , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v8 3/5] proc: Disable cancellation of subset=pid option Date: Fri, 13 Feb 2026 11:44:28 +0100 Message-ID: <774be6da2605e432d08009a75db292067d6f0030.1770979341.git.legion@kernel.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When procfs is mounted with subset=3Dpid option, where is no way to remount it with this option removed. This is done in order not to make visible what ever was hidden since some checks occur during mount. This patch makes the limitation explicit and prints an error message. Signed-off-by: Alexey Gladkov --- fs/proc/root.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/fs/proc/root.c b/fs/proc/root.c index c4af3a9b1a44..535a168046e3 100644 --- a/fs/proc/root.c +++ b/fs/proc/root.c @@ -223,7 +223,7 @@ static int proc_parse_param(struct fs_context *fc, stru= ct fs_parameter *param) return 0; } =20 -static void proc_apply_options(struct proc_fs_info *fs_info, +static int proc_apply_options(struct proc_fs_info *fs_info, struct fs_context *fc, struct user_namespace *user_ns) { @@ -233,13 +233,17 @@ static void proc_apply_options(struct proc_fs_info *f= s_info, fs_info->pid_gid =3D make_kgid(user_ns, ctx->gid); if (ctx->mask & (1 << Opt_hidepid)) fs_info->hide_pid =3D ctx->hidepid; - if (ctx->mask & (1 << Opt_subset)) + if (ctx->mask & (1 << Opt_subset)) { + if (ctx->pidonly !=3D PROC_PIDONLY_ON && fs_info->pidonly =3D=3D PROC_PI= DONLY_ON) + return invalf(fc, "proc: subset=3Dpid cannot be unset\n"); fs_info->pidonly =3D ctx->pidonly; + } if (ctx->mask & (1 << Opt_pidns) && !WARN_ON_ONCE(fc->purpose =3D=3D FS_CONTEXT_FOR_RECONFIGURE)) { put_pid_ns(fs_info->pid_ns); fs_info->pid_ns =3D get_pid_ns(ctx->pid_ns); } + return 0; } =20 static int proc_fill_super(struct super_block *s, struct fs_context *fc) @@ -255,7 +259,9 @@ static int proc_fill_super(struct super_block *s, struc= t fs_context *fc) =20 fs_info->pid_ns =3D get_pid_ns(ctx->pid_ns); fs_info->mounter_cred =3D get_cred(fc->cred); - proc_apply_options(fs_info, fc, current_user_ns()); + ret =3D proc_apply_options(fs_info, fc, current_user_ns()); + if (ret) + return ret; =20 /* User space would break if executables or devices appear on proc */ s->s_iflags |=3D SB_I_USERNS_VISIBLE | SB_I_NOEXEC | SB_I_NODEV; @@ -304,8 +310,7 @@ static int proc_reconfigure(struct fs_context *fc) =20 sync_filesystem(sb); =20 - proc_apply_options(fs_info, fc, current_user_ns()); - return 0; + return proc_apply_options(fs_info, fc, current_user_ns()); } =20 static int proc_get_tree(struct fs_context *fc) --=20 2.53.0 From nobody Thu Apr 2 20:28:07 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A6B1E354ADB; Fri, 13 Feb 2026 10:44:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770979494; cv=none; b=amPXUEG8ij8r86cZ1JyCSKE7hAdxlKSEKLtdN7E2Dch5rkpye4A6qVh0TEdXnW/dgOej+PIp9Ej5PLOH78mncALi+yXihvnN9xaiRcmXf/6Wo2fkD2HNzjz9KPIQMxMIwQtdd1upgfP8bmTfjOQEmHWgt/fgyxGTS1h2AfP1qNo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770979494; c=relaxed/simple; bh=u0rRFolz2hlrLl/jnl2NP+sUOagCjWWVkXRBr2RtN+0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=sedRjJMxw81KsU/3UETvBaYi2k6lpZckzl3kaBuabHY5iFuIDQ7UugXZzBPrMYpsndjsOjfiP+jmejNazZspidcsCshDfL/vjoBlODp0nO1idmz0aFvFlCiDItwYn/l6DzDyyAXLc5jI4OJSJHTPGKV+StKb66VyBoSqqNumIqQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=vHcEYQaF; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="vHcEYQaF" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E79D0C19423; Fri, 13 Feb 2026 10:44:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1770979494; bh=u0rRFolz2hlrLl/jnl2NP+sUOagCjWWVkXRBr2RtN+0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vHcEYQaFW3fwFvLCte5ik1tN9tCtd2fyQx2gYUCv9DGvBqgmbrHiVbyWI5OKjUwex ZKsalfcsIFJKrw7tLv/h+FE4PH7jj3pDq1KCJJRxKPK32dEkxopa04pjEYiltc7CcR Bta+GkHvDoGn5SHjxzpUf1OSJLju/GKHUPF5TYRm9grP5WOMp8XhtcY9OSTZU/C7P8 IxOWz3STEWnTMUDwCsVgpWfzwfYoaXGylOgrQcZqU1qde8GUE3CUOd6VjPvnzN8ZS+ 5PJx85Yg+Obf/Mve8VJ8FX4gCin57gjgLZpGk6F8AwkelzuVcdn/KB8MsOzEWl2nwx b34p4MSiE0pag== From: Alexey Gladkov To: Christian Brauner , Dan Klishch Cc: Al Viro , "Eric W . Biederman" , Kees Cook , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v8 4/5] proc: Relax check of mount visibility Date: Fri, 13 Feb 2026 11:44:29 +0100 Message-ID: <0943f113592a25bee341aae25d1cea088791054f.1770979341.git.legion@kernel.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When /proc is mounted with the subset=3Dpid option, all system files from the root of the file system are not accessible in userspace. Only dynamic information about processes is available, which cannot be hidden with overmount. For this reason, checking for full visibility is not relevant if mounting is performed with the subset=3Dpid option. Signed-off-by: Alexey Gladkov --- fs/namespace.c | 29 ++++++++++++++++------------- fs/proc/root.c | 17 ++++++++++------- include/linux/fs/super_types.h | 2 ++ 3 files changed, 28 insertions(+), 20 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index c58674a20cad..7daa86315c05 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -6116,7 +6116,8 @@ static bool mnt_already_visible(struct mnt_namespace = *ns, /* This mount is not fully visible if it's root directory * is not the root directory of the filesystem. */ - if (mnt->mnt.mnt_root !=3D mnt->mnt.mnt_sb->s_root) + if (!(sb->s_iflags & SB_I_USERNS_ALLOW_REVEALING) && + mnt->mnt.mnt_root !=3D mnt->mnt.mnt_sb->s_root) continue; =20 /* A local view of the mount flags */ @@ -6136,18 +6137,20 @@ static bool mnt_already_visible(struct mnt_namespac= e *ns, ((mnt_flags & MNT_ATIME_MASK) !=3D (new_flags & MNT_ATIME_MASK))) continue; =20 - /* This mount is not fully visible if there are any - * locked child mounts that cover anything except for - * empty directories. - */ - list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) { - struct inode *inode =3D child->mnt_mountpoint->d_inode; - /* Only worry about locked mounts */ - if (!(child->mnt.mnt_flags & MNT_LOCKED)) - continue; - /* Is the directory permanently empty? */ - if (!is_empty_dir_inode(inode)) - goto next; + if (!(sb->s_iflags & SB_I_USERNS_ALLOW_REVEALING)) { + /* This mount is not fully visible if there are any + * locked child mounts that cover anything except for + * empty directories. + */ + list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) { + struct inode *inode =3D child->mnt_mountpoint->d_inode; + /* Only worry about locked mounts */ + if (!IS_MNT_LOCKED(child)) + continue; + /* Is the directory permanently empty? */ + if (!is_empty_dir_inode(inode)) + goto next; + } } /* Preserve the locked attributes */ *new_mnt_flags |=3D mnt_flags & (MNT_LOCK_READONLY | \ diff --git a/fs/proc/root.c b/fs/proc/root.c index 535a168046e3..e029d3587494 100644 --- a/fs/proc/root.c +++ b/fs/proc/root.c @@ -223,18 +223,21 @@ static int proc_parse_param(struct fs_context *fc, st= ruct fs_parameter *param) return 0; } =20 -static int proc_apply_options(struct proc_fs_info *fs_info, +static int proc_apply_options(struct super_block *s, struct fs_context *fc, struct user_namespace *user_ns) { struct proc_fs_context *ctx =3D fc->fs_private; + struct proc_fs_info *fs_info =3D proc_sb_info(s); =20 if (ctx->mask & (1 << Opt_gid)) fs_info->pid_gid =3D make_kgid(user_ns, ctx->gid); if (ctx->mask & (1 << Opt_hidepid)) fs_info->hide_pid =3D ctx->hidepid; if (ctx->mask & (1 << Opt_subset)) { - if (ctx->pidonly !=3D PROC_PIDONLY_ON && fs_info->pidonly =3D=3D PROC_PI= DONLY_ON) + if (ctx->pidonly =3D=3D PROC_PIDONLY_ON) + s->s_iflags |=3D SB_I_USERNS_ALLOW_REVEALING; + else if (fs_info->pidonly =3D=3D PROC_PIDONLY_ON) return invalf(fc, "proc: subset=3Dpid cannot be unset\n"); fs_info->pidonly =3D ctx->pidonly; } @@ -259,9 +262,6 @@ static int proc_fill_super(struct super_block *s, struc= t fs_context *fc) =20 fs_info->pid_ns =3D get_pid_ns(ctx->pid_ns); fs_info->mounter_cred =3D get_cred(fc->cred); - ret =3D proc_apply_options(fs_info, fc, current_user_ns()); - if (ret) - return ret; =20 /* User space would break if executables or devices appear on proc */ s->s_iflags |=3D SB_I_USERNS_VISIBLE | SB_I_NOEXEC | SB_I_NODEV; @@ -273,6 +273,10 @@ static int proc_fill_super(struct super_block *s, stru= ct fs_context *fc) s->s_time_gran =3D 1; s->s_fs_info =3D fs_info; =20 + ret =3D proc_apply_options(s, fc, current_user_ns()); + if (ret) + return ret; + /* * procfs isn't actually a stacking filesystem; however, there is * too much magic going on inside it to permit stacking things on @@ -306,11 +310,10 @@ static int proc_fill_super(struct super_block *s, str= uct fs_context *fc) static int proc_reconfigure(struct fs_context *fc) { struct super_block *sb =3D fc->root->d_sb; - struct proc_fs_info *fs_info =3D proc_sb_info(sb); =20 sync_filesystem(sb); =20 - return proc_apply_options(fs_info, fc, current_user_ns()); + return proc_apply_options(sb, fc, current_user_ns()); } =20 static int proc_get_tree(struct fs_context *fc) diff --git a/include/linux/fs/super_types.h b/include/linux/fs/super_types.h index 6bd3009e09b3..5e640b9140df 100644 --- a/include/linux/fs/super_types.h +++ b/include/linux/fs/super_types.h @@ -333,4 +333,6 @@ struct super_block { #define SB_I_NOIDMAP 0x00002000 /* No idmapped mounts on this superblock */ #define SB_I_ALLOW_HSM 0x00004000 /* Allow HSM events on this superblock */ =20 +#define SB_I_USERNS_ALLOW_REVEALING 0x00008000 /* Skip full visibility che= ck */ + #endif /* _LINUX_FS_SUPER_TYPES_H */ --=20 2.53.0 From nobody Thu Apr 2 20:28:07 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C4DD43542DB; Fri, 13 Feb 2026 10:44:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770979496; cv=none; b=R3ZjG3k8zNkMAv6qyX7bn1YxNSN1v4Gt0CUeB+w3MPfr1hFh2YIYQ7ZyyQCAowtvzegxKZqqg6j9ZwoI42iyelAkWeB4OZiwdyI4of7yRaAOvdP8st2hkhspPsAI72sAoNMkMhoJ27eXrRJPUVxEQICDdBZNpsXNoUyJmakQzWs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770979496; c=relaxed/simple; bh=QRRP7xArIVfTXqzIf8NIlsyrWWBUCIjM0l4EgDMc768=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=N2RBHUG++VJW+ZtYEabaIZuWZfCBrqlS8jQlydBDT0SbRFGtPUzdVuBVqFzVG0q5eg4B/wKjd+/8d6cSy7ZFfhW45zQLyhJaoFJMH64Z9gUV/nWhIFsguBMUI3Czi5TJWOlgWLmNVn89q93jdB/Vz47iqXLK4SMQp9Q6cA2vD+Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=RJ86mcT1; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="RJ86mcT1" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 07DB3C116C6; Fri, 13 Feb 2026 10:44:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1770979496; bh=QRRP7xArIVfTXqzIf8NIlsyrWWBUCIjM0l4EgDMc768=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RJ86mcT1cNuCnObS8WSWu119BBGerKwDRyHm+jdKkCs4Qd+w1X6cIUzPCjx4TCo2g aCbd56Wxmwnc9niy3Fj+sjmHI8oN0FFPBMWlsJMgdqWWmjPnHhQ7QB+a4jBkGvf2ys XpsU6y2vkv3TK9aD7pEhTPrpcOlt9kpIX0ufaYs+R3Se5JeC4EwbtODMsvGovffAiE FyhXxAGCbMFJRnuJ7kGaHBZ7QGB6WFFxL1L5h51b5sObY05yYmamoWe7lLHQ3vhRAd 9WYKVvegydz032f13zCsc77/ynFa5PwQSeXb9Iggdf4/Ic0WI42TUcd0MAaqyuFzl/ 0gK3zd3WnJ0sA== From: Alexey Gladkov To: Christian Brauner , Dan Klishch Cc: Al Viro , "Eric W . Biederman" , Kees Cook , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v8 5/5] docs: proc: add documentation about relaxing visibility restrictions Date: Fri, 13 Feb 2026 11:44:30 +0100 Message-ID: <84b3d2c6f7eadccd115c561d7291ff2f7532595e.1770979341.git.legion@kernel.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Signed-off-by: Alexey Gladkov --- Documentation/filesystems/proc.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Documentation/filesystems/proc.rst b/Documentation/filesystems= /proc.rst index c8864fcbdec7..3acf178c1202 100644 --- a/Documentation/filesystems/proc.rst +++ b/Documentation/filesystems/proc.rst @@ -2417,7 +2417,8 @@ so will give an `-EBUSY` error). If user namespaces are in use, the kernel additionally checks the instance= s of procfs available to the mounter and will not allow procfs to be mounted if: =20 - 1. This mount is not fully visible. + 1. This mount is not fully visible unless the new procfs is going to be + mounted with subset=3Dpid option. =20 a. It's root directory is not the root directory of the filesystem. b. If any file or non-empty procfs directory is hidden by another mou= nt. --=20 2.53.0