• Dave Marchevsky's avatar
    fuse: Add module param for CAP_SYS_ADMIN access bypassing allow_other · 9ccf47b2
    Dave Marchevsky authored
    Since commit 73f03c2b ("fuse: Restrict allow_other to the superblock's
    namespace or a descendant"), access to allow_other FUSE filesystems has
    been limited to users in the mounting user namespace or descendants. This
    prevents a process that is privileged in its userns - but not its parent
    namespaces - from mounting a FUSE fs w/ allow_other that is accessible to
    processes in parent namespaces.
    
    While this restriction makes sense overall it breaks a legitimate usecase:
    I have a tracing daemon which needs to peek into process' open files in
    order to symbolicate - similar to 'perf'. The daemon is a privileged
    process in the root userns, but is unable to peek into FUSE filesystems
    mounted by processes in child namespaces.
    
    This patch adds a module param, allow_sys_admin_access, to act as an escape
    hatch for this descendant userns logic and for the allow_other mount option
    in general. Setting allow_sys_admin_access allows processes with
    CAP_SYS_ADMIN in the initial userns to access FUSE filesystems irrespective
    of the mounting userns or whether allow_other was set. A sysadmin setting
    this param must trust FUSEs on the host to not DoS processes as described
    in 73f03c2b.
    Signed-off-by: default avatarDave Marchevsky <davemarchevsky@fb.com>
    Reviewed-by: default avatarChristian Brauner (Microsoft) <brauner@kernel.org>
    Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
    9ccf47b2
dir.c 48.8 KB