UBUNTU: SAUCE: fuse: Add module parameter to enable user namespace mounts

This is still an experimental feature, so disable it by default and allow it only when the system administrator supplies the userns_mounts=true module parameter. Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

UBUNTU: SAUCE: fuse: Add module parameter to enable user namespace mounts
This is still an experimental feature, so disable it by default and allow it only when the system administrator supplies the userns_mounts=true module parameter. Signed-off-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
a2da8ccb · Seth Forshee · Tim Gardner · 41d8f9b2 · a2da8ccb
Commit a2da8ccb authored Feb 09, 2016 by Seth Forshee Committed by Tim Gardner Apr 06, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

fs/fuse/inode.c fs/fuse/inode.c +7 -0

No files found.
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -48,6 +48,10 @@ MODULE_PARM_DESC(max_user_congthresh,
 "Global limit for the maximum congestion threshold an "
 "unprivileged user can set");

+static bool userns_mounts;
+module_param(userns_mounts, bool, 0644);
+MODULE_PARM_DESC(userns_mounts, "Allow mounts from unprivileged user namespaces");
+
 #define FUSE_SUPER_MAGIC 0x65735546

 #define FUSE_DEFAULT_BLKSIZE 512
@@ -1047,6 +1051,9 @@ static int fuse_fill_super(struct super_block *sb, void *data, int silent)
 	int err;
 	int is_bdev = sb->s_bdev != NULL;

+	if (!userns_mounts && !capable(CAP_SYS_ADMIN))
+		return -EPERM;
+
 	err = -EINVAL;
 	if (sb->s_flags & MS_MANDLOCK)
 		goto err;