| Message ID | 1469198645-16997-1-git-send-email-seth.forshee@canonical.com |
|---|---|
| State | New |
| Headers | show |
On Fri, Jul 22, 2016 at 09:44:05AM -0500, Seth Forshee wrote: > BugLink: http://bugs.launchpad.net/bugs/1603719 > > 302cabb "UBUNTU: SAUCE: (namespace) Sync with upstream s_user_ns > patches" added a capability check to sget() which causes a > regression for automatic submounts, which may happen in the > context of an unprivileged user. The capability check is not > necessary in this case. > > The check can be bypassed by using sget_userns() instead. > init_user_namespace should be used for the user ns since nfs does > not support unprivileged mounting. This change makes the nfs > mount behavior in xenial functionally identical to upstream. > > Signed-off-by: Seth Forshee <seth.forshee@canonical.com> > --- > fs/nfs/super.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/nfs/super.c b/fs/nfs/super.c > index f126828..8a57020 100644 > --- a/fs/nfs/super.c > +++ b/fs/nfs/super.c > @@ -2559,7 +2559,8 @@ struct dentry *nfs_fs_mount_common(struct nfs_server *server, > sb_mntdata.mntflags |= MS_SYNCHRONOUS; > > /* Get a superblock - note that we may end up sharing one that already exists */ > - s = sget(nfs_mod->nfs_fs, compare_super, nfs_set_super, flags, &sb_mntdata); > + s = sget_userns(nfs_mod->nfs_fs, compare_super, nfs_set_super, flags, > + &init_user_ns, &sb_mntdata); > if (IS_ERR(s)) { > mntroot = ERR_CAST(s); > goto out_err_nosb; Sounds reasonable, good testing. -apw
On Fri, Jul 22, 2016 at 05:13:19PM +0100, Andy Whitcroft wrote: > On Fri, Jul 22, 2016 at 09:44:05AM -0500, Seth Forshee wrote: > > BugLink: http://bugs.launchpad.net/bugs/1603719 > > > > 302cabb "UBUNTU: SAUCE: (namespace) Sync with upstream s_user_ns > > patches" added a capability check to sget() which causes a > > regression for automatic submounts, which may happen in the > > context of an unprivileged user. The capability check is not > > necessary in this case. > > > > The check can be bypassed by using sget_userns() instead. > > init_user_namespace should be used for the user ns since nfs does > > not support unprivileged mounting. This change makes the nfs > > mount behavior in xenial functionally identical to upstream. > > > > Signed-off-by: Seth Forshee <seth.forshee@canonical.com> > > --- > > fs/nfs/super.c | 3 ++- > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > diff --git a/fs/nfs/super.c b/fs/nfs/super.c > > index f126828..8a57020 100644 > > --- a/fs/nfs/super.c > > +++ b/fs/nfs/super.c > > @@ -2559,7 +2559,8 @@ struct dentry *nfs_fs_mount_common(struct nfs_server *server, > > sb_mntdata.mntflags |= MS_SYNCHRONOUS; > > > > /* Get a superblock - note that we may end up sharing one that already exists */ > > - s = sget(nfs_mod->nfs_fs, compare_super, nfs_set_super, flags, &sb_mntdata); > > + s = sget_userns(nfs_mod->nfs_fs, compare_super, nfs_set_super, flags, > > + &init_user_ns, &sb_mntdata); > > if (IS_ERR(s)) { > > mntroot = ERR_CAST(s); > > goto out_err_nosb; > > Sounds reasonable, good testing. Acked-by: Andy Whitcroft <apw@canonical.com> -apw
Applied to xenial master-next.
diff --git a/fs/nfs/super.c b/fs/nfs/super.c index f126828..8a57020 100644 --- a/fs/nfs/super.c +++ b/fs/nfs/super.c @@ -2559,7 +2559,8 @@ struct dentry *nfs_fs_mount_common(struct nfs_server *server, sb_mntdata.mntflags |= MS_SYNCHRONOUS; /* Get a superblock - note that we may end up sharing one that already exists */ - s = sget(nfs_mod->nfs_fs, compare_super, nfs_set_super, flags, &sb_mntdata); + s = sget_userns(nfs_mod->nfs_fs, compare_super, nfs_set_super, flags, + &init_user_ns, &sb_mntdata); if (IS_ERR(s)) { mntroot = ERR_CAST(s); goto out_err_nosb;
BugLink: http://bugs.launchpad.net/bugs/1603719 302cabb "UBUNTU: SAUCE: (namespace) Sync with upstream s_user_ns patches" added a capability check to sget() which causes a regression for automatic submounts, which may happen in the context of an unprivileged user. The capability check is not necessary in this case. The check can be bypassed by using sget_userns() instead. init_user_namespace should be used for the user ns since nfs does not support unprivileged mounting. This change makes the nfs mount behavior in xenial functionally identical to upstream. Signed-off-by: Seth Forshee <seth.forshee@canonical.com> --- fs/nfs/super.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)