From nobody Sun Feb 8 15:30:56 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 12CD2389DEB; Tue, 13 Jan 2026 09:21:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768296086; cv=none; b=fm6m5WTerWhkwnDg8ZW3f989y0AUIP+nnAzwc8MmTXl7FBZr8hTJ/nBFkdxwjW2Gr1i93onBPZ/F9ggyHCKW0l4kFU4XG0u4ygxW1RnN5UN3qNa0L+qRz0EhmnRNp+6BpG3nwcBLEvv64v3o3Z/HNz6trzIbb/aSmDmGOX8+oG0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768296086; c=relaxed/simple; bh=eX+w5EfcvclBT2LFvZ5gN3ESzAkXLUYEfvQmmraqHgg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=M6y4aN3YpbhjmDcl2mWyHICKEfnnqp/VMUY0xLAaKKPDKjK2QCbDQU2rV36Ajpp9hIbl04bDShx5AdmccoLw8ltltgyDKgKT/DYRYTOSjmUp2M4zmj8hu1yBtg583s04VaUhAoY/C+vwx+6S3l9YyAqRmtSK73f3Y39ojmlZCJ4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=QfDsoafi; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="QfDsoafi" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 66AA6C19423; Tue, 13 Jan 2026 09:21:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1768296080; bh=eX+w5EfcvclBT2LFvZ5gN3ESzAkXLUYEfvQmmraqHgg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QfDsoafiTkOGF4vw0oyVCqdL7p+zyeEKemegkohPRr79xGLYwKj1x3Ub7Sy41k57h oDem4+PXn44UZFDHb5HOqEjGNb874EnIa5NRZoLUyRrmu+hbnteJftXZ4lh2Fct9nu QSd05NzohgmiidgpF34AFXwU6ydLtgp1phHlYXg36csG3gY92GY+tn/FySfp8QKQNa yqcn3rzn9cxCBjLWiB6ExbllpI8SaGEa7A+bVRAYBEZEyoTniCvoP5JbdfIEG38qs8 U858jrobTnSnUxnXJgaGVy4YZjigGD0id+4QJNhRbEOYgqB7zn4bH71uN6KF/tHXzC 7G1kIgXEeAzCA== From: Alexey Gladkov To: Christian Brauner , Dan Klishch Cc: Al Viro , "Eric W . Biederman" , Kees Cook , containers@lists.linux-foundation.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v7 4/5] proc: Relax check of mount visibility Date: Tue, 13 Jan 2026 10:20:36 +0100 Message-ID: X-Mailer: git-send-email 2.52.0 In-Reply-To: References: <20251213050639.735940-1-danilklishch@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When /proc is mounted with the subset=3Dpid option, all system files from the root of the file system are not accessible in userspace. Only dynamic information about processes is available, which cannot be hidden with overmount. For this reason, checking for full visibility is not relevant if mounting is performed with the subset=3Dpid option. Signed-off-by: Alexey Gladkov --- fs/namespace.c | 29 ++++++++++++++++------------- fs/proc/root.c | 16 ++++++++++------ include/linux/fs/super_types.h | 2 ++ 3 files changed, 28 insertions(+), 19 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index c58674a20cad..7daa86315c05 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -6116,7 +6116,8 @@ static bool mnt_already_visible(struct mnt_namespace = *ns, /* This mount is not fully visible if it's root directory * is not the root directory of the filesystem. */ - if (mnt->mnt.mnt_root !=3D mnt->mnt.mnt_sb->s_root) + if (!(sb->s_iflags & SB_I_USERNS_ALLOW_REVEALING) && + mnt->mnt.mnt_root !=3D mnt->mnt.mnt_sb->s_root) continue; =20 /* A local view of the mount flags */ @@ -6136,18 +6137,20 @@ static bool mnt_already_visible(struct mnt_namespac= e *ns, ((mnt_flags & MNT_ATIME_MASK) !=3D (new_flags & MNT_ATIME_MASK))) continue; =20 - /* This mount is not fully visible if there are any - * locked child mounts that cover anything except for - * empty directories. - */ - list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) { - struct inode *inode =3D child->mnt_mountpoint->d_inode; - /* Only worry about locked mounts */ - if (!(child->mnt.mnt_flags & MNT_LOCKED)) - continue; - /* Is the directory permanently empty? */ - if (!is_empty_dir_inode(inode)) - goto next; + if (!(sb->s_iflags & SB_I_USERNS_ALLOW_REVEALING)) { + /* This mount is not fully visible if there are any + * locked child mounts that cover anything except for + * empty directories. + */ + list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) { + struct inode *inode =3D child->mnt_mountpoint->d_inode; + /* Only worry about locked mounts */ + if (!IS_MNT_LOCKED(child)) + continue; + /* Is the directory permanently empty? */ + if (!is_empty_dir_inode(inode)) + goto next; + } } /* Preserve the locked attributes */ *new_mnt_flags |=3D mnt_flags & (MNT_LOCK_READONLY | \ diff --git a/fs/proc/root.c b/fs/proc/root.c index b9f33b67cdd6..354dc13417e3 100644 --- a/fs/proc/root.c +++ b/fs/proc/root.c @@ -223,18 +223,21 @@ static int proc_parse_param(struct fs_context *fc, st= ruct fs_parameter *param) return 0; } =20 -static int proc_apply_options(struct proc_fs_info *fs_info, +static int proc_apply_options(struct super_block *s, struct fs_context *fc, struct user_namespace *user_ns) { struct proc_fs_context *ctx =3D fc->fs_private; + struct proc_fs_info *fs_info =3D proc_sb_info(s); =20 if (ctx->mask & (1 << Opt_gid)) fs_info->pid_gid =3D make_kgid(user_ns, ctx->gid); if (ctx->mask & (1 << Opt_hidepid)) fs_info->hide_pid =3D ctx->hidepid; if (ctx->mask & (1 << Opt_subset)) { - if (ctx->pidonly !=3D PROC_PIDONLY_ON && fs_info->pidonly =3D=3D PROC_PI= DONLY_ON) + if (ctx->pidonly =3D=3D PROC_PIDONLY_ON) + s->s_iflags |=3D SB_I_USERNS_ALLOW_REVEALING; + else if (fs_info->pidonly =3D=3D PROC_PIDONLY_ON) return invalf(fc, "proc: subset=3Dpid cannot be unset\n"); fs_info->pidonly =3D ctx->pidonly; } @@ -259,9 +262,6 @@ static int proc_fill_super(struct super_block *s, struc= t fs_context *fc) =20 fs_info->pid_ns =3D get_pid_ns(ctx->pid_ns); fs_info->mounter_cred =3D get_cred(fc->cred); - ret =3D proc_apply_options(fs_info, fc, current_user_ns()); - if (ret) - return ret; =20 /* User space would break if executables or devices appear on proc */ s->s_iflags |=3D SB_I_USERNS_VISIBLE | SB_I_NOEXEC | SB_I_NODEV; @@ -273,6 +273,10 @@ static int proc_fill_super(struct super_block *s, stru= ct fs_context *fc) s->s_time_gran =3D 1; s->s_fs_info =3D fs_info; =20 + ret =3D proc_apply_options(s, fc, current_user_ns()); + if (ret) + return ret; + /* * procfs isn't actually a stacking filesystem; however, there is * too much magic going on inside it to permit stacking things on @@ -313,7 +317,7 @@ static int proc_reconfigure(struct fs_context *fc) put_cred(fs_info->mounter_cred); fs_info->mounter_cred =3D get_cred(fc->cred); =20 - return proc_apply_options(fs_info, fc, current_user_ns()); + return proc_apply_options(sb, fc, current_user_ns()); } =20 static int proc_get_tree(struct fs_context *fc) diff --git a/include/linux/fs/super_types.h b/include/linux/fs/super_types.h index 6bd3009e09b3..5e640b9140df 100644 --- a/include/linux/fs/super_types.h +++ b/include/linux/fs/super_types.h @@ -333,4 +333,6 @@ struct super_block { #define SB_I_NOIDMAP 0x00002000 /* No idmapped mounts on this superblock */ #define SB_I_ALLOW_HSM 0x00004000 /* Allow HSM events on this superblock */ =20 +#define SB_I_USERNS_ALLOW_REVEALING 0x00008000 /* Skip full visibility che= ck */ + #endif /* _LINUX_FS_SUPER_TYPES_H */ --=20 2.52.0