From 49c81353cdfde27efb1c90683dac635549e5bc53 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Tue, 1 Jul 2025 21:41:29 +0800 Subject: [PATCH 1/2] do_change_type(): refuse to operate on unmounted/not ours mounts mainline inclusion from mainline-v6.10-rc4 commit 12f147ddd6de7382dad54812e65f3f08d05809fc category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICGF26 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=12f147ddd6de7382dad54812e65f3f08d05809fc -------------------------------- Ensure that propagation settings can only be changed for mounts located in the caller's mount namespace. This change aligns permission checking with the rest of mount(2). Reviewed-by: Christian Brauner Fixes: 07b20889e305 ("beginning of the shared-subtree proper") Reported-by: "Orlando, Noah" Signed-off-by: Al Viro Signed-off-by: Wang Zhaolong --- fs/namespace.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/namespace.c b/fs/namespace.c index 61c88343cc94..617288486ef8 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -2311,6 +2311,10 @@ static int do_change_type(struct path *path, int ms_flags) return -EINVAL; namespace_lock(); + if (!check_mnt(mnt)) { + err = -EINVAL; + goto out_unlock; + } if (type == MS_SHARED) { err = invent_group_ids(mnt, recurse); if (err) -- Gitee From aa46de7d296355b2339a35db13179a2ec506224e Mon Sep 17 00:00:00 2001 From: Al Viro Date: Tue, 1 Jul 2025 21:41:30 +0800 Subject: [PATCH 2/2] clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns mainline inclusion from mainline-v6.10-rc4 commit c28f922c9dcee0e4876a2c095939d77fe7e15116 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ICGF26 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c28f922c9dcee0e4876a2c095939d77fe7e15116 -------------------------------- What we want is to verify there is that clone won't expose something hidden by a mount we wouldn't be able to undo. "Wouldn't be able to undo" may be a result of MNT_LOCKED on a child, but it may also come from lacking admin rights in the userns of the namespace mount belongs to. clone_private_mnt() checks the former, but not the latter. There's a number of rather confusing CAP_SYS_ADMIN checks in various userns during the mount, especially with the new mount API; they serve different purposes and in case of clone_private_mnt() they usually, but not always end up covering the missing check mentioned above. Reviewed-by: Christian Brauner Reported-by: "Orlando, Noah" Fixes: 427215d85e8d ("ovl: prevent private clone if bind mount is not allowed") Signed-off-by: Al Viro Conflicts: fs/namespace.c [Conflicts with mainline commit db04662e2f4f ("fs: allow detached mounts in clone_private_mount()") and commit 1f282cdc1d21 ("fs/fhandle.c: fix a race in call of has_locked_children()").] Signed-off-by: Wang Zhaolong --- fs/namespace.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/namespace.c b/fs/namespace.c index 617288486ef8..000dc921e810 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1959,6 +1959,11 @@ struct vfsmount *clone_private_mount(const struct path *path) if (!check_mnt(old_mnt)) goto invalid; + if (!ns_capable(old_mnt->mnt_ns->user_ns, CAP_SYS_ADMIN)) { + up_read(&namespace_sem); + return ERR_PTR(-EPERM); + } + if (has_locked_children(old_mnt, path->dentry)) goto invalid; -- Gitee