Skip to content

Commit

Permalink
ovl: prevent private clone if bind mount is not allowed
Browse files Browse the repository at this point in the history
Add the following checks from __do_loopback() to clone_private_mount() as
well:

 - verify that the mount is in the current namespace

 - verify that there are no locked children

Reported-by: Alois Wohlschlager <[email protected]>
Fixes: c771d68 ("vfs: introduce clone_private_mount()")
Cc: <[email protected]> # v3.18
Signed-off-by: Miklos Szeredi <[email protected]>
  • Loading branch information
Miklos Szeredi committed Aug 10, 2021
1 parent 580c610 commit 427215d
Showing 1 changed file with 28 additions and 14 deletions.
42 changes: 28 additions & 14 deletions fs/namespace.c
Original file line number Diff line number Diff line change
Expand Up @@ -1938,6 +1938,20 @@ void drop_collected_mounts(struct vfsmount *mnt)
namespace_unlock();
}

static bool has_locked_children(struct mount *mnt, struct dentry *dentry)
{
struct mount *child;

list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) {
if (!is_subdir(child->mnt_mountpoint, dentry))
continue;

if (child->mnt.mnt_flags & MNT_LOCKED)
return true;
}
return false;
}

/**
* clone_private_mount - create a private clone of a path
* @path: path to clone
Expand All @@ -1953,17 +1967,30 @@ struct vfsmount *clone_private_mount(const struct path *path)
struct mount *old_mnt = real_mount(path->mnt);
struct mount *new_mnt;

down_read(&namespace_sem);
if (IS_MNT_UNBINDABLE(old_mnt))
return ERR_PTR(-EINVAL);
goto invalid;

if (!check_mnt(old_mnt))
goto invalid;

if (has_locked_children(old_mnt, path->dentry))
goto invalid;

new_mnt = clone_mnt(old_mnt, path->dentry, CL_PRIVATE);
up_read(&namespace_sem);

if (IS_ERR(new_mnt))
return ERR_CAST(new_mnt);

/* Longterm mount to be removed by kern_unmount*() */
new_mnt->mnt_ns = MNT_NS_INTERNAL;

return &new_mnt->mnt;

invalid:
up_read(&namespace_sem);
return ERR_PTR(-EINVAL);
}
EXPORT_SYMBOL_GPL(clone_private_mount);

Expand Down Expand Up @@ -2315,19 +2342,6 @@ static int do_change_type(struct path *path, int ms_flags)
return err;
}

static bool has_locked_children(struct mount *mnt, struct dentry *dentry)
{
struct mount *child;
list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) {
if (!is_subdir(child->mnt_mountpoint, dentry))
continue;

if (child->mnt.mnt_flags & MNT_LOCKED)
return true;
}
return false;
}

static struct mount *__do_loopback(struct path *old_path, int recurse)
{
struct mount *mnt = ERR_PTR(-EINVAL), *old = real_mount(old_path->mnt);
Expand Down

0 comments on commit 427215d

Please sign in to comment.