Allow a filesystem to control its visibility in /proc/filesystems.

PiperOrigin-RevId: 204508520
Change-Id: I09e5f8b6e69413370e1a0d39dbb7dc1ee0b6192d

10 files changed, 47 insertions, 0 deletions

diff --git a/pkg/sentry/fs/dev/fs.go b/pkg/sentry/fs/dev/fs.go
index 4945ac962..3c79f3782 100644
--- a/pkg/sentry/fs/dev/fs.go
+++ b/pkg/sentry/fs/dev/fs.go
@@ -49,6 +49,11 @@ func (*filesystem) AllowUserMount() bool {
 	return true
 }
 
+// AllowUserList allows this filesystem to be listed in /proc/filesystems.
+func (*filesystem) AllowUserList() bool {
+	return true
+}
+
 // Flags returns that there is nothing special about this file system.
 //
 // In Linux, devtmpfs does the same thing.
diff --git a/pkg/sentry/fs/filesystems.go b/pkg/sentry/fs/filesystems.go
index e2c255be6..200e792f4 100644
--- a/pkg/sentry/fs/filesystems.go
+++ b/pkg/sentry/fs/filesystems.go
@@ -55,6 +55,10 @@ type Filesystem interface {
 	// AllowUserMount determines whether mount(2) is allowed to mount a
 	// file system of this type.
 	AllowUserMount() bool
+
+	// AllowUserList determines whether this filesystem is listed in
+	// /proc/filesystems
+	AllowUserList() bool
 }
 
 // filesystems is the global set of registered file systems. It does not need
diff --git a/pkg/sentry/fs/gofer/fs.go b/pkg/sentry/fs/gofer/fs.go
index e041074d2..dd5d43c47 100644
--- a/pkg/sentry/fs/gofer/fs.go
+++ b/pkg/sentry/fs/gofer/fs.go
@@ -103,6 +103,11 @@ func (*filesystem) AllowUserMount() bool {
 	return false
 }
 
+// AllowUserList allows this filesystem to be listed in /proc/filesystems.
+func (*filesystem) AllowUserList() bool {
+	return true
+}
+
 // Flags returns that there is nothing special about this file system.
 //
 // The 9p Linux client returns FS_RENAME_DOES_D_MOVE, see fs/9p/vfs_super.c.
diff --git a/pkg/sentry/fs/host/fs.go b/pkg/sentry/fs/host/fs.go
index ffd55a5ab..974700636 100644
--- a/pkg/sentry/fs/host/fs.go
+++ b/pkg/sentry/fs/host/fs.go
@@ -66,6 +66,11 @@ func (*Filesystem) AllowUserMount() bool {
 	return false
 }
 
+// AllowUserList allows this filesystem to be listed in /proc/filesystems.
+func (*Filesystem) AllowUserList() bool {
+	return true
+}
+
 // Flags returns that there is nothing special about this file system.
 func (*Filesystem) Flags() fs.FilesystemFlags {
 	return 0
diff --git a/pkg/sentry/fs/mount_overlay.go b/pkg/sentry/fs/mount_overlay.go
index 16c25e46c..343202400 100644
--- a/pkg/sentry/fs/mount_overlay.go
+++ b/pkg/sentry/fs/mount_overlay.go
@@ -89,6 +89,11 @@ func (ofs *overlayFilesystem) AllowUserMount() bool {
 	return false
 }
 
+// AllowUserList implements Filesystem.AllowUserList.
+func (*overlayFilesystem) AllowUserList() bool {
+	return true
+}
+
 // Mount implements Filesystem.Mount.
 func (ofs *overlayFilesystem) Mount(ctx context.Context, device string, flags MountSourceFlags, data string) (*Inode, error) {
 	panic("overlayFilesystem.Mount should not be called!")
diff --git a/pkg/sentry/fs/proc/filesystems.go b/pkg/sentry/fs/proc/filesystems.go
index aa2c4db10..37db9cf9c 100644
--- a/pkg/sentry/fs/proc/filesystems.go
+++ b/pkg/sentry/fs/proc/filesystems.go
@@ -43,6 +43,9 @@ func (*filesystemsData) ReadSeqFileData(ctx context.Context, h seqfile.SeqHandle
 	// Generate the file contents.
 	var buf bytes.Buffer
 	for _, sys := range fs.GetFilesystems() {
+		if !sys.AllowUserList() {
+			continue
+		}
 		nodev := "nodev"
 		if sys.Flags()&fs.FilesystemRequiresDev != 0 {
 			nodev = ""
diff --git a/pkg/sentry/fs/proc/fs.go b/pkg/sentry/fs/proc/fs.go
index 072d00beb..3aadd6ac4 100644
--- a/pkg/sentry/fs/proc/fs.go
+++ b/pkg/sentry/fs/proc/fs.go
@@ -42,6 +42,11 @@ func (*filesystem) AllowUserMount() bool {
 	return true
 }
 
+// AllowUserList allows this filesystem to be listed in /proc/filesystems.
+func (*filesystem) AllowUserList() bool {
+	return true
+}
+
 // Flags returns that there is nothing special about this file system.
 //
 // In Linux, proc returns FS_USERNS_VISIBLE | FS_USERNS_MOUNT, see fs/proc/root.c.
diff --git a/pkg/sentry/fs/sys/fs.go b/pkg/sentry/fs/sys/fs.go
index f25f648c3..c6d5f7fd8 100644
--- a/pkg/sentry/fs/sys/fs.go
+++ b/pkg/sentry/fs/sys/fs.go
@@ -40,6 +40,11 @@ func (*filesystem) AllowUserMount() bool {
 	return true
 }
 
+// AllowUserList allows this filesystem to be listed in /proc/filesystems.
+func (*filesystem) AllowUserList() bool {
+	return true
+}
+
 // Flags returns that there is nothing special about this file system.
 //
 // In Linux, sysfs returns FS_USERNS_VISIBLE | FS_USERNS_MOUNT, see fs/sysfs/mount.c.
diff --git a/pkg/sentry/fs/tmpfs/fs.go b/pkg/sentry/fs/tmpfs/fs.go
index 639a19b0d..5bd9ade52 100644
--- a/pkg/sentry/fs/tmpfs/fs.go
+++ b/pkg/sentry/fs/tmpfs/fs.go
@@ -67,6 +67,11 @@ func (*Filesystem) AllowUserMount() bool {
 	return true
 }
 
+// AllowUserList allows this filesystem to be listed in /proc/filesystems.
+func (*Filesystem) AllowUserList() bool {
+	return true
+}
+
 // Flags returns that there is nothing special about this file system.
 //
 // In Linux, tmpfs returns FS_USERNS_MOUNT, see mm/shmem.c.
diff --git a/pkg/sentry/fs/tty/fs.go b/pkg/sentry/fs/tty/fs.go
index f5e7a3162..1ef1a85e3 100644
--- a/pkg/sentry/fs/tty/fs.go
+++ b/pkg/sentry/fs/tty/fs.go
@@ -46,6 +46,11 @@ func (*filesystem) AllowUserMount() bool {
 	return false
 }
 
+// AllowUserList allows this filesystem to be listed in /proc/filesystems.
+func (*filesystem) AllowUserList() bool {
+	return true
+}
+
 // Flags returns that there is nothing special about this file system.
 func (*filesystem) Flags() fs.FilesystemFlags {
 	return 0