diff options
| author | Dave Marchevsky <[email protected]> | 2022-07-11 10:48:08 -0700 |
|---|---|---|
| committer | Miklos Szeredi <[email protected]> | 2022-07-21 16:06:19 +0200 |
| commit | 9ccf47b26b73ecf5b7278a4cb8d487d8ebb4c095 (patch) | |
| tree | a74a0364b8eb36b4824856ea84270a7a2967efd1 /drivers/usb/cdns3/cdns3-trace.c | |
| parent | c64797809a64c73497082aa05e401a062ec1af34 (diff) | |
fuse: Add module param for CAP_SYS_ADMIN access bypassing allow_other
Since commit 73f03c2b4b52 ("fuse: Restrict allow_other to the superblock's
namespace or a descendant"), access to allow_other FUSE filesystems has
been limited to users in the mounting user namespace or descendants. This
prevents a process that is privileged in its userns - but not its parent
namespaces - from mounting a FUSE fs w/ allow_other that is accessible to
processes in parent namespaces.
While this restriction makes sense overall it breaks a legitimate usecase:
I have a tracing daemon which needs to peek into process' open files in
order to symbolicate - similar to 'perf'. The daemon is a privileged
process in the root userns, but is unable to peek into FUSE filesystems
mounted by processes in child namespaces.
This patch adds a module param, allow_sys_admin_access, to act as an escape
hatch for this descendant userns logic and for the allow_other mount option
in general. Setting allow_sys_admin_access allows processes with
CAP_SYS_ADMIN in the initial userns to access FUSE filesystems irrespective
of the mounting userns or whether allow_other was set. A sysadmin setting
this param must trust FUSEs on the host to not DoS processes as described
in 73f03c2b4b52.
Signed-off-by: Dave Marchevsky <[email protected]>
Reviewed-by: Christian Brauner (Microsoft) <[email protected]>
Signed-off-by: Miklos Szeredi <[email protected]>
Diffstat (limited to 'drivers/usb/cdns3/cdns3-trace.c')
0 files changed, 0 insertions, 0 deletions