diff options
| author | Dave Marchevsky <davemarchevsky@fb.com> | 2022-07-11 20:48:08 +0300 |
|---|---|---|
| committer | Miklos Szeredi <mszeredi@redhat.com> | 2022-07-21 17:06:19 +0300 |
| commit | 9ccf47b26b73ecf5b7278a4cb8d487d8ebb4c095 (patch) | |
| tree | a74a0364b8eb36b4824856ea84270a7a2967efd1 /sound | |
| parent | c64797809a64c73497082aa05e401a062ec1af34 (diff) | |
| download | linux-9ccf47b26b73ecf5b7278a4cb8d487d8ebb4c095.tar.xz | |
fuse: Add module param for CAP_SYS_ADMIN access bypassing allow_other
Since commit 73f03c2b4b52 ("fuse: Restrict allow_other to the superblock's
namespace or a descendant"), access to allow_other FUSE filesystems has
been limited to users in the mounting user namespace or descendants. This
prevents a process that is privileged in its userns - but not its parent
namespaces - from mounting a FUSE fs w/ allow_other that is accessible to
processes in parent namespaces.
While this restriction makes sense overall it breaks a legitimate usecase:
I have a tracing daemon which needs to peek into process' open files in
order to symbolicate - similar to 'perf'. The daemon is a privileged
process in the root userns, but is unable to peek into FUSE filesystems
mounted by processes in child namespaces.
This patch adds a module param, allow_sys_admin_access, to act as an escape
hatch for this descendant userns logic and for the allow_other mount option
in general. Setting allow_sys_admin_access allows processes with
CAP_SYS_ADMIN in the initial userns to access FUSE filesystems irrespective
of the mounting userns or whether allow_other was set. A sysadmin setting
this param must trust FUSEs on the host to not DoS processes as described
in 73f03c2b4b52.
Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com>
Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Diffstat (limited to 'sound')
0 files changed, 0 insertions, 0 deletions