Commit df2474a2 authored by Jeff Layton's avatar Jeff Layton

locks: print a warning when mount fails due to lack of "mand" support

Since 9e8925b6 ("locks: Allow disabling mandatory locking at compile
time"), attempts to mount filesystems with "-o mand" will fail.
Unfortunately, there is no other indiciation of the reason for the
failure.

Change how the function is defined for better readability. When
CONFIG_MANDATORY_FILE_LOCKING is disabled, printk a warning when
someone attempts to mount with -o mand.

Also, add a blurb to the mandatory-locking.txt file to explain about
the "mand" option, and the behavior one should expect when it is
disabled.
Reported-by: default avatarJan Kara <jack@suse.cz>
Reviewed-by: default avatarJan Kara <jack@suse.cz>
Signed-off-by: default avatarJeff Layton <jlayton@kernel.org>
parent 43e4cb94
...@@ -169,3 +169,13 @@ havoc if they lock crucial files. The way around it is to change the file ...@@ -169,3 +169,13 @@ havoc if they lock crucial files. The way around it is to change the file
permissions (remove the setgid bit) before trying to read or write to it. permissions (remove the setgid bit) before trying to read or write to it.
Of course, that might be a bit tricky if the system is hung :-( Of course, that might be a bit tricky if the system is hung :-(
7. The "mand" mount option
--------------------------
Mandatory locking is disabled on all filesystems by default, and must be
administratively enabled by mounting with "-o mand". That mount option
is only allowed if the mounting task has the CAP_SYS_ADMIN capability.
Since kernel v4.5, it is possible to disable mandatory locking
altogether by setting CONFIG_MANDATORY_FILE_LOCKING to "n". A kernel
with this disabled will reject attempts to mount filesystems with the
"mand" mount option with the error status EPERM.
...@@ -1643,13 +1643,18 @@ static inline bool may_mount(void) ...@@ -1643,13 +1643,18 @@ static inline bool may_mount(void)
return ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN); return ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN);
} }
#ifdef CONFIG_MANDATORY_FILE_LOCKING
static inline bool may_mandlock(void) static inline bool may_mandlock(void)
{ {
#ifndef CONFIG_MANDATORY_FILE_LOCKING
return false;
#endif
return capable(CAP_SYS_ADMIN); return capable(CAP_SYS_ADMIN);
} }
#else
static inline bool may_mandlock(void)
{
pr_warn("VFS: \"mand\" mount option not supported");
return false;
}
#endif
/* /*
* Now umount can handle mount points as well as block devices. * Now umount can handle mount points as well as block devices.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment