From nobody Fri Jun 12 07:25:48 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A43DF39B4AF; Mon, 27 Apr 2026 08:26:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777278417; cv=none; b=PT8Ng6gpLqjscSKXUkda2kPSuxpUc2Pop7hoXMZAo9Lb7U6N0nMW6XwUquii/KzFguHBspctjqHkBW6s23CsdfNK9Z9GrTy/mwTjoQfg9v7wpjl+8WRtajg8BYxiIvGDkGrpauUaVKZIBxPt0QcohUNe13TBj8/+53c6lEO8SNw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777278417; c=relaxed/simple; bh=Hgw9EtwhJXIIPJ0mk5lcwbLt8+W+zvZCaQBpQ0guZXI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=aIlNUxwaCYTbSk4Y6PQPa8f/xMBNir127RDMhIFsYyEFCvxjqQzxtldoE9ix51ZmSxACfRcMmbWo0L54hYpqZ8pLPqoPNN8UCiU2Kox+obqYtkj1xghS3mCxN1BYK2Frbf9ooxPnCPjiepekMDQgxmQq2q8Iq/UFoC289qrr9nw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=A8KTwBMj; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="A8KTwBMj" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4BA38C2BCB4; Mon, 27 Apr 2026 08:26:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777278417; bh=Hgw9EtwhJXIIPJ0mk5lcwbLt8+W+zvZCaQBpQ0guZXI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=A8KTwBMjCtGtuzjLTMKE8oi/CaAr44CSPYATg3sz6lYyTh26tF3iOF+UZcsEStK5T u/aWuHdCfDrwm/fPxyKFFi2+0wWX9+qCqh+FWhIBfLBnLUotCMONj6fxtaICELA6Ls x1WiJ+WM0UoA87mVv/fYyvSHunuZi8HR+ZQJ6joGHCv2qBOlBOJ47EYBipqVuBu1CA Dia8/+UVU5MdcTv2rcdPLIBfFgII+yI7HRvLlof2RhUz8krxdwg1dJVRCExfn/JUxS buCMGNrdkCvxfW43f/tlVI/uHizDbbmbVfILmZHYe/iCJylFNkxZ8PJQTDg2C5h7KK ZcuWZ2cyC16TA== From: Alexey Gladkov To: Christian Brauner , Dan Klishch Cc: Al Viro , Aleksa Sarai , "Eric W . Biederman" , Kees Cook , containers@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v10 1/7] namespace: record fully visible mounts in list Date: Mon, 27 Apr 2026 10:26:02 +0200 Message-ID: <684859a8e0ac929cb89c1fbe16ce15b30c70eb1f.1777278334.git.legion@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Christian Brauner Instead of wading through all the mounts in the mount namespace rbtree to find fully visible procfs and sysfs mounts, be honest about them being special cruft and record them in a separate per-mount namespace list. Signed-off-by: Christian Brauner Reviewed-by: Aleksa Sarai --- fs/mount.h | 4 ++++ fs/namespace.c | 19 +++++++++++-------- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/fs/mount.h b/fs/mount.h index e0816c11a198..5df134d56d47 100644 --- a/fs/mount.h +++ b/fs/mount.h @@ -25,6 +25,7 @@ struct mnt_namespace { __u32 n_fsnotify_mask; struct fsnotify_mark_connector __rcu *n_fsnotify_marks; #endif + struct hlist_head mnt_visible_mounts; /* SB_I_USERNS_VISIBLE mounts */ unsigned int nr_mounts; /* # of mounts in the namespace */ unsigned int pending_mounts; refcount_t passive; /* number references not pinning @mounts */ @@ -90,6 +91,7 @@ struct mount { int mnt_expiry_mark; /* true if marked for expiry */ struct hlist_head mnt_pins; struct hlist_head mnt_stuck_children; + struct hlist_node mnt_ns_visible; /* link in ns->mnt_visible_mounts */ struct mount *overmount; /* mounted on ->mnt_root */ } __randomize_layout; =20 @@ -207,6 +209,8 @@ static inline void move_from_ns(struct mount *mnt) ns->mnt_first_node =3D rb_next(&mnt->mnt_node); rb_erase(&mnt->mnt_node, &ns->mounts); RB_CLEAR_NODE(&mnt->mnt_node); + if (!hlist_unhashed(&mnt->mnt_ns_visible)) + hlist_del_init(&mnt->mnt_ns_visible); } =20 bool has_locked_children(struct mount *mnt, struct dentry *dentry); diff --git a/fs/namespace.c b/fs/namespace.c index 854f4fc66469..539b74403072 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -321,6 +321,7 @@ static struct mount *alloc_vfsmnt(const char *name) INIT_HLIST_NODE(&mnt->mnt_slave); INIT_HLIST_NODE(&mnt->mnt_mp_list); INIT_HLIST_HEAD(&mnt->mnt_stuck_children); + INIT_HLIST_NODE(&mnt->mnt_ns_visible); RB_CLEAR_NODE(&mnt->mnt_node); mnt->mnt.mnt_idmap =3D &nop_mnt_idmap; } @@ -1098,6 +1099,10 @@ static void mnt_add_to_ns(struct mnt_namespace *ns, = struct mount *mnt) rb_link_node(&mnt->mnt_node, parent, link); rb_insert_color(&mnt->mnt_node, &ns->mounts); =20 + if ((mnt->mnt.mnt_sb->s_iflags & SB_I_USERNS_VISIBLE) && + mnt->mnt.mnt_root =3D=3D mnt->mnt.mnt_sb->s_root) + hlist_add_head(&mnt->mnt_ns_visible, &ns->mnt_visible_mounts); + mnt_notify_add(mnt); } =20 @@ -6310,22 +6315,20 @@ static bool mnt_already_visible(struct mnt_namespac= e *ns, int *new_mnt_flags) { int new_flags =3D *new_mnt_flags; - struct mount *mnt, *n; + struct mount *mnt; + + /* Don't acquire namespace semaphore without a good reason. */ + if (hlist_empty(&ns->mnt_visible_mounts)) + return false; =20 guard(namespace_shared)(); - rbtree_postorder_for_each_entry_safe(mnt, n, &ns->mounts, mnt_node) { + hlist_for_each_entry(mnt, &ns->mnt_visible_mounts, mnt_ns_visible) { struct mount *child; int mnt_flags; =20 if (mnt->mnt.mnt_sb->s_type !=3D sb->s_type) continue; =20 - /* This mount is not fully visible if it's root directory - * is not the root directory of the filesystem. - */ - if (mnt->mnt.mnt_root !=3D mnt->mnt.mnt_sb->s_root) - continue; - /* A local view of the mount flags */ mnt_flags =3D mnt->mnt.mnt_flags; =20 --=20 2.54.0 From nobody Fri Jun 12 07:25:48 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1B4F939B495; Mon, 27 Apr 2026 08:26:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777278420; cv=none; b=Pazzz2Z2sOEJtbcxasROMi5tUGs60ll1C1WoK1IXaoa9vg4lecBnwN4k7IMDTr3aEUASxxL1Bh5ZHxZvpbpjiSzNh7yQ7NfyMLx8EuNNxDT2ecb0i5uEPKVOUiLEf+7TgFZEH3+az9fYxP2fjBj7YTPZ3wxgJqH1A1q3ikHAPLA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777278420; c=relaxed/simple; bh=U+1YtcWZiR0EbNPQMRPeDg2eGpcjr6DYpzp5NaT9tKU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OKeCUXw4G7zvVe0ojZhaK+Zx3P7cY9ArIS7hXrUQ6UvEeAVlJXkZZnxq40cqTuzmT2/GhYWFdO/llyQThA4/M1hLgAzniu65oDcO/WOyOjhQiYuNwBui4FdD88/RdugfdghHUUqhJU/gkCRm8/Tc7OXoBMCfpX4vThwwDGbCNqE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=AWF/H8qx; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="AWF/H8qx" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B6D82C19425; Mon, 27 Apr 2026 08:26:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777278419; bh=U+1YtcWZiR0EbNPQMRPeDg2eGpcjr6DYpzp5NaT9tKU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AWF/H8qxP57Yyz3cNGGESauAUNI73eCg0p6RXAs6iQl/qojReGhmxPQYVQsyYO35h 93vOzh9L/0etN3o+01x2ZzfXC6vILKVG9UxQAPEIMgDBzW0B/JBkj3dbokbOnELe6o bk9Pm6eaaIs89Qk417Fsl2O6O7XQaVmabjzfLT7uHf7MCJOMtQA6ICj5XrHsGBix1n aE43rU3SXl397Y2COnNq3y0FINBSpwSWHbvy31SvMDMKevrSlCCI0Uby7mp/bhKbuV DwNagrruuBhRM1HT7bE9ZtgILYIIFnhtc94KIc71jcf4M8py9Gr+X1/OXq5cEoTsSk AgVMLzz+OjmJg== From: Alexey Gladkov To: Christian Brauner , Dan Klishch Cc: Al Viro , Aleksa Sarai , "Eric W . Biederman" , Kees Cook , containers@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v10 2/7] fs: move SB_I_USERNS_VISIBLE to FS_USERNS_MOUNT_RESTRICTED Date: Mon, 27 Apr 2026 10:26:03 +0200 Message-ID: <72887c5b6204dc3adf5a53104f0be6bd8bc4f6cd.1777278334.git.legion@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Christian Brauner Whether a filesystem's mounts need to undergo a visibility check in user namespaces is a static property of the filesystem type, not a runtime property of each superblock instance. Both proc and sysfs always set SB_I_USERNS_VISIBLE on their superblocks unconditionally (sysfs does so on first creation, and subsequent mounts reuse the same superblock). Move this flag from sb->s_iflags (SB_I_USERNS_VISIBLE) to file_system_type->fs_flags (FS_USERNS_MOUNT_RESTRICTED) so the intent is expressed at the filesystem type level where it belongs. All check sites are updated to test sb->s_type->fs_flags instead of sb->s_iflags. The SB_I_NOEXEC and SB_I_NODEV flags remain on the superblock as they are runtime properties set during fill_super. Signed-off-by: Christian Brauner Reviewed-by: Aleksa Sarai --- fs/namespace.c | 6 +++--- fs/proc/root.c | 4 ++-- fs/sysfs/mount.c | 4 +--- include/linux/fs.h | 1 + include/linux/fs/super_types.h | 1 - kernel/acct.c | 2 +- 6 files changed, 8 insertions(+), 10 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index 539b74403072..ed13416370e3 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1099,7 +1099,7 @@ static void mnt_add_to_ns(struct mnt_namespace *ns, s= truct mount *mnt) rb_link_node(&mnt->mnt_node, parent, link); rb_insert_color(&mnt->mnt_node, &ns->mounts); =20 - if ((mnt->mnt.mnt_sb->s_iflags & SB_I_USERNS_VISIBLE) && + if ((mnt->mnt.mnt_sb->s_type->fs_flags & FS_USERNS_MOUNT_RESTRICTED) && mnt->mnt.mnt_root =3D=3D mnt->mnt.mnt_sb->s_root) hlist_add_head(&mnt->mnt_ns_visible, &ns->mnt_visible_mounts); =20 @@ -6378,10 +6378,10 @@ static bool mount_too_revealing(const struct super_= block *sb, int *new_mnt_flags return false; =20 /* Can this filesystem be too revealing? */ - s_iflags =3D sb->s_iflags; - if (!(s_iflags & SB_I_USERNS_VISIBLE)) + if (!(sb->s_type->fs_flags & FS_USERNS_MOUNT_RESTRICTED)) return false; =20 + s_iflags =3D sb->s_iflags; if ((s_iflags & required_iflags) !=3D required_iflags) { WARN_ONCE(1, "Expected s_iflags to contain 0x%lx\n", required_iflags); diff --git a/fs/proc/root.c b/fs/proc/root.c index 0f9100559471..b65053f9f046 100644 --- a/fs/proc/root.c +++ b/fs/proc/root.c @@ -257,7 +257,7 @@ static int proc_fill_super(struct super_block *s, struc= t fs_context *fc) proc_apply_options(fs_info, fc, current_user_ns()); =20 /* User space would break if executables or devices appear on proc */ - s->s_iflags |=3D SB_I_USERNS_VISIBLE | SB_I_NOEXEC | SB_I_NODEV; + s->s_iflags |=3D SB_I_NOEXEC | SB_I_NODEV; s->s_flags |=3D SB_NODIRATIME | SB_NOSUID | SB_NOEXEC; s->s_blocksize =3D 1024; s->s_blocksize_bits =3D 10; @@ -359,7 +359,7 @@ static struct file_system_type proc_fs_type =3D { .init_fs_context =3D proc_init_fs_context, .parameters =3D proc_fs_parameters, .kill_sb =3D proc_kill_sb, - .fs_flags =3D FS_USERNS_MOUNT | FS_DISALLOW_NOTIFY_PERM, + .fs_flags =3D FS_USERNS_MOUNT | FS_USERNS_MOUNT_RESTRICTED | FS_DISALLOW= _NOTIFY_PERM, }; =20 void __init proc_root_init(void) diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c index b199e8ff79b1..b45ea5d511e7 100644 --- a/fs/sysfs/mount.c +++ b/fs/sysfs/mount.c @@ -32,8 +32,6 @@ static int sysfs_get_tree(struct fs_context *fc) if (ret) return ret; =20 - if (kfc->new_sb_created) - fc->root->d_sb->s_iflags |=3D SB_I_USERNS_VISIBLE; return 0; } =20 @@ -93,7 +91,7 @@ static struct file_system_type sysfs_fs_type =3D { .name =3D "sysfs", .init_fs_context =3D sysfs_init_fs_context, .kill_sb =3D sysfs_kill_sb, - .fs_flags =3D FS_USERNS_MOUNT, + .fs_flags =3D FS_USERNS_MOUNT | FS_USERNS_MOUNT_RESTRICTED, }; =20 int __init sysfs_init(void) diff --git a/include/linux/fs.h b/include/linux/fs.h index 8b3dd145b25e..4e6553359938 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -2280,6 +2280,7 @@ struct file_system_type { #define FS_MGTIME 64 /* FS uses multigrain timestamps */ #define FS_LBS 128 /* FS supports LBS */ #define FS_POWER_FREEZE 256 /* Always freeze on suspend/hibernate */ +#define FS_USERNS_MOUNT_RESTRICTED 512 /* Restrict mount in userns if not = already visible */ #define FS_RENAME_DOES_D_MOVE 32768 /* FS will handle d_move() during rena= me() internally. */ int (*init_fs_context)(struct fs_context *); const struct fs_parameter_spec *parameters; diff --git a/include/linux/fs/super_types.h b/include/linux/fs/super_types.h index 383050e7fdf5..182efbeb9520 100644 --- a/include/linux/fs/super_types.h +++ b/include/linux/fs/super_types.h @@ -326,7 +326,6 @@ struct super_block { #define SB_I_STABLE_WRITES 0x00000008 /* don't modify blks until WB is don= e */ =20 /* sb->s_iflags to limit user namespace mounts */ -#define SB_I_USERNS_VISIBLE 0x00000010 /* fstype already mounted */ #define SB_I_IMA_UNVERIFIABLE_SIGNATURE 0x00000020 #define SB_I_UNTRUSTED_MOUNTER 0x00000040 #define SB_I_EVM_HMAC_UNSUPPORTED 0x00000080 diff --git a/kernel/acct.c b/kernel/acct.c index 1e19722c64c3..9fdfee6f4729 100644 --- a/kernel/acct.c +++ b/kernel/acct.c @@ -249,7 +249,7 @@ static int acct_on(const char __user *name) return -EINVAL; =20 /* Exclude procfs and sysfs. */ - if (file_inode(file)->i_sb->s_iflags & SB_I_USERNS_VISIBLE) + if (file_inode(file)->i_sb->s_type->fs_flags & FS_USERNS_MOUNT_RESTRICTED) return -EINVAL; =20 if (!(file->f_mode & FMODE_CAN_WRITE)) --=20 2.54.0 From nobody Fri Jun 12 07:25:48 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7AE5239B4AF; Mon, 27 Apr 2026 08:27:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777278424; cv=none; b=ExW+Xw91jVVAh4ZG37jQmAXaTeP5IGGemkZLQZJIcGw5IVCJMChSnse1hDKVlYKHHNn/kRffsi/u44N4zhxripxkcK4hJJBgamR3fc7zEeRig6sK25R7B9027WsMRlgi2hvx4aO4ciq+JxCzDQ1gPMHUd3+XvPLuFIUec4j+9zw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777278424; c=relaxed/simple; bh=fQ2/ypU05Asy7beJi748/A6lTpXACAw2G+z7PQcm4PE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=h7kyE8+af03jozcwzIK26LpmmeRXkYb0FojJw4gG5GpGfya/TY1d0NikHLw/tbkaUFe5ZHDVXiDqWrlaZfNF5iyMhtZGBCki1bDi3Cv1q4GVqi214ol2m7mfG7NRLpSP6jx1ppyFBlacwxl6m04KnYqwoU3udmsdciQvTsfOvbI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=pjn55vuN; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="pjn55vuN" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 322F4C2BCB4; Mon, 27 Apr 2026 08:27:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777278422; bh=fQ2/ypU05Asy7beJi748/A6lTpXACAw2G+z7PQcm4PE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=pjn55vuNW5ByS4/bJtr1oB6N2IRJhPjrvtkkfE65foWmEf3p6vbp48zktTu2XfE9r CbtTax0br06ZAE3mipDJYUCxQ5Z/yAnQ5nXYU8rdc0qBiSErpJlS8zmRQxqzYIBDVW 8ctk9HweamzdDAdryO4ke/4ZhSZ//9kryV8lTJJGL5I7mbZvmEojyqSo1g/Y0B2AZp rtU1IOfwgXGvsNRpH0rsK7dfXo+odZ3d9asYVnubdIxMiYncU2bRQheMek+lz037j4 eiAhuZNcIsFURgN/KeAV4puoepaHtAzMVLmnsEXHpfVx+IvqAKLuRUkU3X/eER85Eu g+zKYjQtgDsQA== From: Alexey Gladkov To: Christian Brauner , Dan Klishch Cc: Al Viro , Aleksa Sarai , "Eric W . Biederman" , Kees Cook , containers@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v10 3/7] sysfs: remove trivial sysfs_get_tree() wrapper Date: Mon, 27 Apr 2026 10:26:04 +0200 Message-ID: X-Mailer: git-send-email 2.54.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Christian Brauner Now that FS_USERNS_MOUNT_RESTRICTED is a file_system_type flag, sysfs_get_tree() is a trivial wrapper around kernfs_get_tree() with no additional logic. Point sysfs_fs_context_ops.get_tree directly at kernfs_get_tree() and remove the wrapper. Signed-off-by: Christian Brauner Reviewed-by: Aleksa Sarai --- fs/sysfs/mount.c | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/fs/sysfs/mount.c b/fs/sysfs/mount.c index b45ea5d511e7..88c10823fcaf 100644 --- a/fs/sysfs/mount.c +++ b/fs/sysfs/mount.c @@ -23,18 +23,6 @@ static struct kernfs_root *sysfs_root; struct kernfs_node *sysfs_root_kn; =20 -static int sysfs_get_tree(struct fs_context *fc) -{ - struct kernfs_fs_context *kfc =3D fc->fs_private; - int ret; - - ret =3D kernfs_get_tree(fc); - if (ret) - return ret; - - return 0; -} - static void sysfs_fs_context_free(struct fs_context *fc) { struct kernfs_fs_context *kfc =3D fc->fs_private; @@ -47,7 +35,7 @@ static void sysfs_fs_context_free(struct fs_context *fc) =20 static const struct fs_context_operations sysfs_fs_context_ops =3D { .free =3D sysfs_fs_context_free, - .get_tree =3D sysfs_get_tree, + .get_tree =3D kernfs_get_tree, }; =20 static int sysfs_init_fs_context(struct fs_context *fc) --=20 2.54.0 From nobody Fri Jun 12 07:25:48 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E8A2139B96F; Mon, 27 Apr 2026 08:27:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777278425; cv=none; b=fT57NtJjNbITet9U7ETiojDx0Gmt6fL0XgZbHTBllzE9xYbwD4DKqP+Gn00jv+c1vwwHsdfNqxzhPh3hy8K9G3O8pt6IduUfYtx/W1CWuRErla5wUD1PPOV0U2XU5ZghTTPZVVzpo28CjHgx5RaWcJf1w8gEjA4BDDp4DnpQIAc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777278425; c=relaxed/simple; bh=fQmlPvBrnDFjz+bOisonNlu4m4XGzlXl6BPBsOr8laU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=kRla3BUjFE+lg4cFTs4MHDKqcNF28oS/kd7PdmSTrnBp2nbMazxBL0DnOLuOEa8XG5Bla/sPqQhZJz+rpEIbEudlQCiAINZ1eBxOJb05nEuANuKfwkmS+s4j6W2o38uBoU10mAlHxP50afmpTD4rup6VfEuLmJs1Yf91hgjGHmI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=RJ2oZzC8; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="RJ2oZzC8" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9F126C19425; Mon, 27 Apr 2026 08:27:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777278424; bh=fQmlPvBrnDFjz+bOisonNlu4m4XGzlXl6BPBsOr8laU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RJ2oZzC8MUbRt/eD8x5rcDn/yQkLJtPZ4D2HSjOb4JkXMOT5ur68T0tiY8pB2mX6/ Lrlb/9oIzAWgEKupWAn/DYZPDLXcZa3JRfJ95MgAom90c++TvqqvLPLM43CO9rYmTS gfWJDyvkgK5MbDWe9Y70JYH6cW8wEYDeorlTMzwiUWCAbpNDJVdX7apY+R7K/FQ9eC 8GN7BUo/2+H5hWsmAjYQokvDMa7I8IAqJCGotJdmB8fhgbu+4nv1J9Q2DXLOK7siNO 0I1FWAgfK+C1JM/UnFfGkXNDjrBQfSsgE61ACEMY7eYM5PtBMkSEFZVh8jvwsemxtm bLoGrt9JXJkQA== From: Alexey Gladkov To: Christian Brauner , Dan Klishch Cc: Al Viro , Aleksa Sarai , "Eric W . Biederman" , Kees Cook , containers@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v10 4/7] proc: subset=pid: Show /proc/self/net only for CAP_NET_ADMIN Date: Mon, 27 Apr 2026 10:26:05 +0200 Message-ID: X-Mailer: git-send-email 2.54.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Cache the mounters credentials and allow access to the net directories contingent of the permissions of the mounter of proc. Do not show /proc/self/net when proc is mounted with subset=3Dpid option and the mounter does not have CAP_NET_ADMIN. To avoid inadvertently allowing access to /proc//net, updating mounter credentials is not supported. Signed-off-by: Alexey Gladkov Reviewed-by: Aleksa Sarai --- fs/proc/proc_net.c | 8 ++++++++ fs/proc/root.c | 2 ++ include/linux/proc_fs.h | 1 + 3 files changed, 11 insertions(+) diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c index 52f0b75cbce2..6e0ccef0169f 100644 --- a/fs/proc/proc_net.c +++ b/fs/proc/proc_net.c @@ -23,6 +23,7 @@ #include #include #include +#include =20 #include "internal.h" =20 @@ -270,6 +271,7 @@ static struct net *get_proc_task_net(struct inode *dir) struct task_struct *task; struct nsproxy *ns; struct net *net =3D NULL; + struct proc_fs_info *fs_info =3D proc_sb_info(dir->i_sb); =20 rcu_read_lock(); task =3D pid_task(proc_pid(dir), PIDTYPE_PID); @@ -282,6 +284,12 @@ static struct net *get_proc_task_net(struct inode *dir) } rcu_read_unlock(); =20 + if (net && (fs_info->pidonly =3D=3D PROC_PIDONLY_ON) && + security_capable(fs_info->mounter_cred, net->user_ns, CAP_NET_ADMIN, = CAP_OPT_NONE) < 0) { + put_net(net); + net =3D NULL; + } + return net; } =20 diff --git a/fs/proc/root.c b/fs/proc/root.c index b65053f9f046..89e5678129e4 100644 --- a/fs/proc/root.c +++ b/fs/proc/root.c @@ -254,6 +254,7 @@ static int proc_fill_super(struct super_block *s, struc= t fs_context *fc) return -ENOMEM; =20 fs_info->pid_ns =3D get_pid_ns(ctx->pid_ns); + fs_info->mounter_cred =3D get_cred(fc->cred); proc_apply_options(fs_info, fc, current_user_ns()); =20 /* User space would break if executables or devices appear on proc */ @@ -350,6 +351,7 @@ static void proc_kill_sb(struct super_block *sb) kill_anon_super(sb); if (fs_info) { put_pid_ns(fs_info->pid_ns); + put_cred(fs_info->mounter_cred); kfree_rcu(fs_info, rcu); } } diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h index 19d1c5e5f335..ec123c277d49 100644 --- a/include/linux/proc_fs.h +++ b/include/linux/proc_fs.h @@ -67,6 +67,7 @@ enum proc_pidonly { struct proc_fs_info { struct pid_namespace *pid_ns; kgid_t pid_gid; + const struct cred *mounter_cred; enum proc_hidepid hide_pid; enum proc_pidonly pidonly; struct rcu_head rcu; --=20 2.54.0 From nobody Fri Jun 12 07:25:48 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 77D9839B4BE; Mon, 27 Apr 2026 08:27:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777278427; cv=none; b=TiJVwFy5XMNkmZzEiwxNlK5NBAwMzoRSOm/G3xer0WGccwWUWzER9VoW8/3rWzTBeGyGdVEWSXzXysVgBZ9AK62uQa8pyxKjxJLNSfuN8z7RZaBH6y7WeSwY3a4JSkoLpEPAFHLB8N/u8h8Fo08Fificqg3YJSezSfkoetLXVyE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777278427; c=relaxed/simple; bh=emFPWOyEMyLlcW/YMcZlCPlaGylN8uSZzDUyULMPc8o=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nwCofoOPOoSOtqb78VFHb296oz1FMOra8zPuXdqmh0uxP/8Ii6scFdi00L3e/zzfkPvBHoO+7uktn/yUW1dcy7Zkdxb/Ukosrhpb0MnoM0GoaejpYIHEAYVvv94PANUwKv8dXDda0gfJu+WxC/BMl5UeuFm0rNemD+ImAupXatU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=WxVqFc28; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="WxVqFc28" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 19106C2BCB6; Mon, 27 Apr 2026 08:27:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777278427; bh=emFPWOyEMyLlcW/YMcZlCPlaGylN8uSZzDUyULMPc8o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WxVqFc28iXFB8sE0ZFly7W/hD51MjiTE13rAKK+zkGPUfW2W/XZnA1YjJySJhxkAs FCXm4soHwd1QxI2ViEZGlLf5/dII+KKbPyyrsNtIlZqABWLOpNyURbRVAOatpJMBEG 0eKjTOCmZopMeSgMt5FZNYxEpHgA9oAAsjXoWA59A1TUVtWTo7dV1mShyfsL92BVFt 20Wqkg/db86cXzDyBnDCrqALi4Tr2mL4FJg6uf/Tn+qKzD/XexTTz1Y2XIE71CnhQk D1JaDwPZfE6uXafyzEfjHYG6WQv38wzUwDAFNS9ffcpRgZm3LnZHhsyF91sDcvDDwF j5bPRvk2Vvbsw== From: Alexey Gladkov To: Christian Brauner , Dan Klishch Cc: Al Viro , Aleksa Sarai , "Eric W . Biederman" , Kees Cook , containers@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v10 5/7] proc: prevent reconfiguring subset=pid Date: Mon, 27 Apr 2026 10:26:06 +0200 Message-ID: <13295f40f642af5d6e7038d681d43132ad80f7b2.1777278334.git.legion@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Changing subset=3Dpid on an existing procfs instance is not safe. If a full procfs mount has entries hidden by overmounts, switching it to subset=3Dpid would hide the top-level procfs entries from lookup and readdir while leaving the existing overmounts reachable. Reject attempts to change the subset=3Dpid state during reconfigure before applying any other procfs mount options, so a failed reconfigure cannot partially update the instance. Signed-off-by: Alexey Gladkov Reviewed-by: Aleksa Sarai --- fs/proc/root.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/fs/proc/root.c b/fs/proc/root.c index 89e5678129e4..1bf75a4ee146 100644 --- a/fs/proc/root.c +++ b/fs/proc/root.c @@ -223,12 +223,17 @@ static int proc_parse_param(struct fs_context *fc, st= ruct fs_parameter *param) return 0; } =20 -static void proc_apply_options(struct proc_fs_info *fs_info, +static int proc_apply_options(struct proc_fs_info *fs_info, struct fs_context *fc, struct user_namespace *user_ns) { struct proc_fs_context *ctx =3D fc->fs_private; =20 + if ((ctx->mask & (1 << Opt_subset)) && + fc->purpose =3D=3D FS_CONTEXT_FOR_RECONFIGURE && + ctx->pidonly !=3D fs_info->pidonly) + return invalf(fc, "proc: subset=3Dpid cannot be changed\n"); + if (ctx->mask & (1 << Opt_gid)) fs_info->pid_gid =3D make_kgid(user_ns, ctx->gid); if (ctx->mask & (1 << Opt_hidepid)) @@ -240,6 +245,7 @@ static void proc_apply_options(struct proc_fs_info *fs_= info, put_pid_ns(fs_info->pid_ns); fs_info->pid_ns =3D get_pid_ns(ctx->pid_ns); } + return 0; } =20 static int proc_fill_super(struct super_block *s, struct fs_context *fc) @@ -255,7 +261,9 @@ static int proc_fill_super(struct super_block *s, struc= t fs_context *fc) =20 fs_info->pid_ns =3D get_pid_ns(ctx->pid_ns); fs_info->mounter_cred =3D get_cred(fc->cred); - proc_apply_options(fs_info, fc, current_user_ns()); + ret =3D proc_apply_options(fs_info, fc, current_user_ns()); + if (ret) + return ret; =20 /* User space would break if executables or devices appear on proc */ s->s_iflags |=3D SB_I_NOEXEC | SB_I_NODEV; @@ -304,8 +312,7 @@ static int proc_reconfigure(struct fs_context *fc) =20 sync_filesystem(sb); =20 - proc_apply_options(fs_info, fc, current_user_ns()); - return 0; + return proc_apply_options(fs_info, fc, current_user_ns()); } =20 static int proc_get_tree(struct fs_context *fc) --=20 2.54.0 From nobody Fri Jun 12 07:25:48 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9E8A239B4BB; Mon, 27 Apr 2026 08:27:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777278429; cv=none; b=aaocYoCqEtzy5ofjYGNWF1n50B+fZdpJl96JK60frecQjgJ/0LzYNd8aoaCVefVc9SLNx/rMhymZndfHfNtrlOTS0+b2FYIpZ4zWq3xkpSRmloqnVJ8PkjTDjcbDKNS2KMN212wE9rRtcN8MS5WFofR8hVZ6xPsAUgLDXnWKgXQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777278429; c=relaxed/simple; bh=5zkkuQMPyAXleKE4/+XDYuvRaItMKHwmoNXSzv0Vp1g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=CzyvbKvfsvqZ3sIZceBHHTxmU7GujSi5wQCE7utSqy43AReJMzCQGYHXSNTOWIklJa+9uCDWV61ZfF9Hsm3fArj1QUSkrikGYbFE9ly9R48DxJYa2IGuWsmtiyFYsfYPqrhoJraS2iIxGx6qPGbEXNGNHvV94xcyXu4yb/Z84qM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=aNC2Iwj6; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="aNC2Iwj6" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8630AC19425; Mon, 27 Apr 2026 08:27:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777278429; bh=5zkkuQMPyAXleKE4/+XDYuvRaItMKHwmoNXSzv0Vp1g=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aNC2Iwj6ezrquWrmD3ZUHBzkXuFURwGvfH47VDmPjxddXS8ABX6NolgrQjTylGpzM dM1JKb0x4emJn6V3Rm51pe3OaJpntMLAFPwrq8GlXH3oAecjOnxGy91RP2iCNjGp1v gdlDehlKzExbPT1syacj0xfhK76kyL8ZUdeMHRI6YCNHFJUSPrhBDmR4uJ3Yi8Cbyj 0XsyTBypSZYh67QERJ67+3MM8jgxxmEILIMxS32DuV0KyuqRTr2ZgiReHnkmiFQ85u AKQQ/9XIfiILu7FOGbAeEt0d6d4j73Nz7x03iVsl27CjnrCBoy/XJYkSBK2YdcMjtw +J6wb4+UXlcxg== From: Alexey Gladkov To: Christian Brauner , Dan Klishch Cc: Al Viro , Aleksa Sarai , "Eric W . Biederman" , Kees Cook , containers@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v10 6/7] proc: handle subset=pid separately in userns visibility checks Date: Mon, 27 Apr 2026 10:26:07 +0200 Message-ID: <4d5e760c3d534dd2e05578d119cc408450053a98.1777278334.git.legion@kernel.org> X-Mailer: git-send-email 2.54.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When procfs is mounted with subset=3Dpid, only the dynamic process-related part of the filesystem remains visible. That part cannot be hidden by overmounts, so checking whether an existing procfs mount is fully visible does not make sense for this mode. At the same time, a subset=3Dpid procfs mount must not be used as evidence that a later procfs mount would not reveal additional information. It provides a restricted view of procfs, not the full filesystem view. Mark subset=3Dpid procfs instances as restricted variants. Ignore restricted variants when looking for an already-visible mount, and allow new restricted variants without consulting mnt_already_visible(). Signed-off-by: Alexey Gladkov Reviewed-by: Aleksa Sarai --- fs/namespace.c | 17 ++++++++++++++++- fs/proc/root.c | 3 +++ include/linux/fs/super_types.h | 1 + 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/fs/namespace.c b/fs/namespace.c index ed13416370e3..389d8654f36f 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -6323,10 +6323,18 @@ static bool mnt_already_visible(struct mnt_namespac= e *ns, =20 guard(namespace_shared)(); hlist_for_each_entry(mnt, &ns->mnt_visible_mounts, mnt_ns_visible) { + const struct super_block *sb_visible =3D mnt->mnt.mnt_sb; struct mount *child; int mnt_flags; =20 - if (mnt->mnt.mnt_sb->s_type !=3D sb->s_type) + if (sb_visible->s_type !=3D sb->s_type) + continue; + + /* + * Restricted variants are not compatible with anything, even + * other restricted variants. + */ + if (sb_visible->s_iflags & SB_I_RESTRICTED_VARIANT) continue; =20 /* A local view of the mount flags */ @@ -6388,6 +6396,13 @@ static bool mount_too_revealing(const struct super_b= lock *sb, int *new_mnt_flags return true; } =20 + /* + * Restricted variants don't need an already visible mount because they + * don't expose the full filesystem view. + */ + if (s_iflags & SB_I_RESTRICTED_VARIANT) + return false; + return !mnt_already_visible(ns, sb, new_mnt_flags); } =20 diff --git a/fs/proc/root.c b/fs/proc/root.c index 1bf75a4ee146..99adddfeb4a4 100644 --- a/fs/proc/root.c +++ b/fs/proc/root.c @@ -275,6 +275,9 @@ static int proc_fill_super(struct super_block *s, struc= t fs_context *fc) s->s_time_gran =3D 1; s->s_fs_info =3D fs_info; =20 + if (fs_info->pidonly =3D=3D PROC_PIDONLY_ON) + s->s_iflags |=3D SB_I_RESTRICTED_VARIANT; + /* * procfs isn't actually a stacking filesystem; however, there is * too much magic going on inside it to permit stacking things on diff --git a/include/linux/fs/super_types.h b/include/linux/fs/super_types.h index 182efbeb9520..a6cdc8f6de4e 100644 --- a/include/linux/fs/super_types.h +++ b/include/linux/fs/super_types.h @@ -326,6 +326,7 @@ struct super_block { #define SB_I_STABLE_WRITES 0x00000008 /* don't modify blks until WB is don= e */ =20 /* sb->s_iflags to limit user namespace mounts */ +#define SB_I_RESTRICTED_VARIANT 0x00000010 #define SB_I_IMA_UNVERIFIABLE_SIGNATURE 0x00000020 #define SB_I_UNTRUSTED_MOUNTER 0x00000040 #define SB_I_EVM_HMAC_UNSUPPORTED 0x00000080 --=20 2.54.0 From nobody Fri Jun 12 07:25:48 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6250439B4AE; Mon, 27 Apr 2026 08:27:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777278432; cv=none; b=mBVJXc4raQ7kk36xX0XU1Z3CvJSxjW0A9inl4M3IbyaFiq5PeXn4CyGlSg+5WoBPGJHSIj1KRbg7yWEqUB5FKtnzeQwnugOSKgegWF5Hg6rxOBId4obymoUXa5xDOwP74LGxDauF5Bq6NzS9MHUAaEtp/sjqz1iNSZRyGQMrtrA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777278432; c=relaxed/simple; bh=4CFdS8ty6FAiD669kpwSBvY0yy0/IHHFrNW6KvtXaZk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=bzPaEikJFxnrFycpre+rfJxdRyiH0Jw/KfgRdzRfmuyWF1rPzO9zm36zLgSif9eIfZAES6ohCAxZ1ACc2PgVq1d+YNoR6KJOBCq1SnsNpmAxyqZ9RDrRr6oheoH4XngfcNg2FM78fQ9NMfMjbxurADwdXELzYi0/ZphrbWIucQU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=RLA16NtG; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="RLA16NtG" Received: by smtp.kernel.org (Postfix) with ESMTPSA id F1E2FC2BCB4; Mon, 27 Apr 2026 08:27:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1777278432; bh=4CFdS8ty6FAiD669kpwSBvY0yy0/IHHFrNW6KvtXaZk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RLA16NtGuLm1ltlMga1iRjoha4q5BNJfIaWMJwP8AOMKp34YDBnQ6BQOqtLCcArA/ 1/GU3l3std6L6yDfzljxh99B0KXLMimH6YarSxU7zRJ5YsWv5ZCm/boz8OddSTQdi6 oDPdbW6y5gjArpEBY/WusGrV8XS1F7CLRi7r/PF8BvxA8eMfyJRNenQMhLYGc36YVz W6yGZsxNpgPJpcA+DVx3uueXf9aylOK55oMjun3swDkjO2QJymYF/x/C7OXGgOlL4F /Gq+NzLi+6I/Xmjo6AdgS+TYNZYRjJYy5FG2T6lq6S85Pw0NIPyRKFFLxSw5P8QdRn /7F6OAAdhgXLg== From: Alexey Gladkov To: Christian Brauner , Dan Klishch Cc: Al Viro , Aleksa Sarai , "Eric W . Biederman" , Kees Cook , containers@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v10 7/7] docs: proc: add documentation about mount restrictions Date: Mon, 27 Apr 2026 10:26:08 +0200 Message-ID: X-Mailer: git-send-email 2.54.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" procfs has a number of mounting restrictions that are not documented anywhere. Signed-off-by: Alexey Gladkov Reviewed-by: Aleksa Sarai --- Documentation/filesystems/proc.rst | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/Documentation/filesystems/proc.rst b/Documentation/filesystems= /proc.rst index b0c0d1b45b99..b836b725b35d 100644 --- a/Documentation/filesystems/proc.rst +++ b/Documentation/filesystems/proc.rst @@ -52,6 +52,7 @@ fixes/update part 1.1 Stefani Seibold June 9 2009 =20 4 Configuring procfs 4.1 Mount options + 4.2 Mount restrictions =20 5 Filesystem behavior =20 @@ -2401,7 +2402,9 @@ prohibited by hidepid=3D. If you use some daemon lik= e identd which needs to learn information about processes information, just add identd to this group. =20 subset=3Dpid hides all top level files and directories in the procfs that -are not related to tasks. +are not related to tasks. This option cannot be changed on an existing +procfs instance because overmounts that existed before the change could +otherwise remain reachable after the top level procfs entries are hidden. =20 pidns=3D specifies a pid namespace (either as a string path to something l= ike `/proc/$pid/ns/pid`, or a file descriptor when using `FSCONFIG_SET_FD`) th= at @@ -2410,6 +2413,20 @@ will use the calling process's active pid namespace.= Note that the pid namespace of an existing procfs instance cannot be modified (attempting to= do so will give an `-EBUSY` error). =20 +4.2 Mount restrictions +-------------------------- + +If user namespaces are in use, the kernel additionally checks the instance= s of +procfs available to the mounter and will not allow procfs to be mounted if: + + 1. This mount is not fully visible unless the new procfs is going to be + mounted with subset=3Dpid option. + + a. Its root directory is not the root directory of the filesystem. + b. If any file or non-empty procfs directory is hidden by another mou= nt. + + 2. A new mount overrides the readonly option or any option from atime fa= mily. + Chapter 5: Filesystem behavior =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D =20 --=20 2.54.0