trondmy@xxxxxxxxxx writes:
> From: Trond Myklebust <trond.myklebust@xxxxxxxxxxxxxxx>
>
> Loosen the permission check on forced umount to allow users holding
> CAP_SYS_ADMIN privileges in namespaces that are privileged with respect
> to the userns that originally mounted the filesystem.
Acked-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>
Semantically this seems reasonable. I think forced umounts just got
overlooked when I was relaxing the other permission checks, to allow
things if you own the superblock.
The code has already checked you have permissions on the current mount
namespace. Which was my immediate concern looking at the code.
Eric
> Signed-off-by: Trond Myklebust <trond.myklebust@xxxxxxxxxxxxxxx>
> ---
> fs/namespace.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/namespace.c b/fs/namespace.c
> index 8f1000f9f3df..d401486fe95d 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -2026,6 +2026,7 @@ static void warn_mandlock(void)
> static int can_umount(const struct path *path, int flags)
> {
> struct mount *mnt = real_mount(path->mnt);
> + struct super_block *sb = path->dentry->d_sb;
>
> if (!may_mount())
> return -EPERM;
> @@ -2035,7 +2036,7 @@ static int can_umount(const struct path *path, int flags)
> return -EINVAL;
> if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */
> return -EINVAL;
> - if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))
> + if (flags & MNT_FORCE && !ns_capable(sb->s_user_ns, CAP_SYS_ADMIN))
> return -EPERM;
> return 0;
> }
