Quoting Eric W. Biederman (ebiederm@xxxxxxxxxxxx):
>
> There are no races as locked mount flags are guaranteed to never change.
>
> Moving the test into do_remount makes it more visible, and ensures all
> filesystem remounts pass the MNT_LOCK_READONLY permission check. This
> second case is not an issue today as filesystem remounts are guarded
> by capable(CAP_DAC_ADMIN) and thus will always fail in less privileged
> mount namespaces, but it could become an issue in the future.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
Acked-by: Serge E. Hallyn <serge.hallyn@xxxxxxxxxx>
> ---
> fs/namespace.c | 13 ++++++++++---
> 1 file changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/fs/namespace.c b/fs/namespace.c
> index cb40449ea0df..1105a577a14f 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -1896,9 +1896,6 @@ static int change_mount_flags(struct vfsmount *mnt, int ms_flags)
> if (readonly_request == __mnt_is_readonly(mnt))
> return 0;
>
> - if (mnt->mnt_flags & MNT_LOCK_READONLY)
> - return -EPERM;
> -
> if (readonly_request)
> error = mnt_make_readonly(real_mount(mnt));
> else
> @@ -1924,6 +1921,16 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
> if (path->dentry != path->mnt->mnt_root)
> return -EINVAL;
>
> + /* Don't allow changing of locked mnt flags.
> + *
> + * No locks need to be held here while testing the various
> + * MNT_LOCK flags because those flags can never be cleared
> + * once they are set.
> + */
> + if ((mnt->mnt.mnt_flags & MNT_LOCK_READONLY) &&
> + !(mnt_flags & MNT_READONLY)) {
> + return -EPERM;
> + }
> err = security_sb_remount(sb, data);
> if (err)
> return err;
> --
> 1.9.1
>
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
