summaryrefslogtreecommitdiffstats
path: root/README
diff options
context:
space:
mode:
authorDave Marchevsky <davemarchevsky@fb.com>2022-07-11 19:48:08 +0200
committerMiklos Szeredi <mszeredi@redhat.com>2022-07-21 16:06:19 +0200
commit9ccf47b26b73ecf5b7278a4cb8d487d8ebb4c095 (patch)
treea74a0364b8eb36b4824856ea84270a7a2967efd1 /README
parentfuse: Remove the control interface for virtio-fs (diff)
downloadlinux-9ccf47b26b73ecf5b7278a4cb8d487d8ebb4c095.tar.xz
linux-9ccf47b26b73ecf5b7278a4cb8d487d8ebb4c095.zip
fuse: Add module param for CAP_SYS_ADMIN access bypassing allow_other
Since commit 73f03c2b4b52 ("fuse: Restrict allow_other to the superblock's namespace or a descendant"), access to allow_other FUSE filesystems has been limited to users in the mounting user namespace or descendants. This prevents a process that is privileged in its userns - but not its parent namespaces - from mounting a FUSE fs w/ allow_other that is accessible to processes in parent namespaces. While this restriction makes sense overall it breaks a legitimate usecase: I have a tracing daemon which needs to peek into process' open files in order to symbolicate - similar to 'perf'. The daemon is a privileged process in the root userns, but is unable to peek into FUSE filesystems mounted by processes in child namespaces. This patch adds a module param, allow_sys_admin_access, to act as an escape hatch for this descendant userns logic and for the allow_other mount option in general. Setting allow_sys_admin_access allows processes with CAP_SYS_ADMIN in the initial userns to access FUSE filesystems irrespective of the mounting userns or whether allow_other was set. A sysadmin setting this param must trust FUSEs on the host to not DoS processes as described in 73f03c2b4b52. Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com> Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Diffstat (limited to 'README')
0 files changed, 0 insertions, 0 deletions