When mounting procfs with the subset=pids option, all static files become
unavailable and only the dynamic part with information about pids is accessible.

In this case, there is no point in imposing additional restrictions on the
visibility of the entire filesystem for the mounter. Everything that can be
hidden in procfs is already inaccessible.

Currently, these restrictions prevent pidfs from being mounted inside rootless
containers, as almost all container implementations override part of procfs to
hide certain directories. Relaxing these restrictions will allow pidfs to be
used in nested containerization.

---
Changelog
---------
v10:
* Rework visibility checks around Christian's FS_USERNS_MOUNT_RESTRICTED
  and SB_I_RESTRICTED_VARIANT approach instead of fs_context skip_visibility.
* Add Christian's sysfs_get_tree() cleanup.
* Treat subset=pid procfs as a restricted variant that is allowed without
  mnt_already_visible(), but cannot be used as visibility evidence for later
  mounts.
* Forbid changing subset=pid on procfs reconfigure in either direction to
  avoid exposing pre-existing overmounts after switching to subset=pid.
* Make failed subset=pid reconfigure leave other procfs options unchanged.
* Update procfs documentation accordingly.

v9:
* Rework the patch based on the one proposed by Christian Brauner.

v8:
* Remove mounter credential change on remount as suggested by Christian Brauner.

v7:
* Rebase on v6.19-rc5.
* Rename SB_I_DYNAMIC to SB_I_USERNS_ALLOW_REVEALING.

v6:
* Add documentation about procfs mount restrictions.
* Reorder commits for better review.

v4:
* Set SB_I_DYNAMIC only if pidonly is set.
* Add an error message if subset=pid is canceled during remount.

v3:
* Add 'const' to struct cred *mounter_cred (fix kernel test robot warning).

v2:
* cache the mounters credentials and make access to the net directories
  contingent of the permissions of the mounter of procfs.

Alexey Gladkov (4):
  proc: subset=pid: Show /proc/self/net only for CAP_NET_ADMIN
  proc: prevent reconfiguring subset=pid
  proc: handle subset=pid separately in userns visibility checks
  docs: proc: add documentation about mount restrictions

Christian Brauner (3):
  namespace: record fully visible mounts in list
  fs: move SB_I_USERNS_VISIBLE to FS_USERNS_MOUNT_RESTRICTED
  sysfs: remove trivial sysfs_get_tree() wrapper

 Documentation/filesystems/proc.rst | 19 ++++++++++++++++-
 fs/mount.h                         |  4 ++++
 fs/namespace.c                     | 34 +++++++++++++++++++++++-------
 fs/proc/proc_net.c                 |  8 +++++++
 fs/proc/root.c                     | 24 +++++++++++++++------
 fs/sysfs/mount.c                   | 18 ++--------------
 include/linux/fs.h                 |  1 +
 include/linux/fs/super_types.h     |  2 +-
 include/linux/proc_fs.h            |  1 +
 kernel/acct.c                      |  2 +-
 10 files changed, 80 insertions(+), 33 deletions(-)

-- 
2.54.0

On 2026-04-27, Alexey Gladkov <legion@kernel.org> wrote:
> When mounting procfs with the subset=pids option, all static files become
> unavailable and only the dynamic part with information about pids is accessible.
> 
> In this case, there is no point in imposing additional restrictions on the
> visibility of the entire filesystem for the mounter. Everything that can be
> hidden in procfs is already inaccessible.
> 
> Currently, these restrictions prevent pidfs from being mounted inside rootless
> containers, as almost all container implementations override part of procfs to
> hide certain directories. Relaxing these restrictions will allow pidfs to be
> used in nested containerization.

Aside from one minor nit about invalf, looks great! Feel free to take my

Reviewed-by: Aleksa Sarai <aleksa@amutable.com>

-- 
Aleksa Sarai
https://www.cyphar.com/

On Mon, 27 Apr 2026 10:26:01 +0200, Alexey Gladkov wrote:
> When mounting procfs with the subset=pids option, all static files become
> unavailable and only the dynamic part with information about pids is accessible.
> 
> In this case, there is no point in imposing additional restrictions on the
> visibility of the entire filesystem for the mounter. Everything that can be
> hidden in procfs is already inaccessible.
> 
> [...]

Thanks, I think we ended with something that looks quite decent now.

---

Applied to the vfs-7.2.procfs branch of the vfs/vfs.git tree.
Patches in the vfs-7.2.procfs branch should appear in linux-next soon.

Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.

It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.

Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs-7.2.procfs

[1/7] namespace: record fully visible mounts in list
      https://git.kernel.org/vfs/vfs/c/18920cc2ade4
[2/7] fs: move SB_I_USERNS_VISIBLE to FS_USERNS_MOUNT_RESTRICTED
      https://git.kernel.org/vfs/vfs/c/a09358516cf2
[3/7] sysfs: remove trivial sysfs_get_tree() wrapper
      https://git.kernel.org/vfs/vfs/c/630dc69a9f7d
[4/7] proc: subset=pid: Show /proc/self/net only for CAP_NET_ADMIN
      https://git.kernel.org/vfs/vfs/c/0ff06ac76088
[5/7] proc: prevent reconfiguring subset=pid
      https://git.kernel.org/vfs/vfs/c/87341f4e3436
[6/7] proc: handle subset=pid separately in userns visibility checks
      https://git.kernel.org/vfs/vfs/c/6691ea02bddb
[7/7] docs: proc: add documentation about mount restrictions
      https://git.kernel.org/vfs/vfs/c/65cb11ddcfcd