All of lore.kernel.org
 help / color / mirror / Atom feed
From: Serge Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>
To: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: Andrew Lutomirski <andy-RHosVwM/Cj8@public.gmane.org>,
	Linux Containers
	<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
	Willy Tarreau <w@1wt.eu>,
	security-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org,
	Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org>
Subject: Re: [REVIEW][PATCH 2/5] mnt: Move the test for MNT_LOCK_READONLY from change_mount_flags into do_remount
Date: Thu, 31 Jul 2014 23:11:41 +0000	[thread overview]
Message-ID: <20140731231141.GD7954@ubuntumail> (raw)
In-Reply-To: <87bns7jye1.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>

Quoting Eric W. Biederman (ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org):
> 
> There are no races as locked mount flags are guaranteed to never change.
> 
> Moving the test into do_remount makes it more visible, and ensures all
> filesystem remounts pass the MNT_LOCK_READONLY permission check.  This
> second case is not an issue today as filesystem remounts are guarded
> by capable(CAP_DAC_ADMIN) and thus will always fail in less privileged
> mount namespaces, but it could become an issue in the future.
> 
> Cc: stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> Signed-off-by: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>

Acked-by: Serge E. Hallyn <serge.hallyn-GeWIH/nMZzLQT0dZR+AlfA@public.gmane.org>

> ---
>  fs/namespace.c | 13 ++++++++++---
>  1 file changed, 10 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/namespace.c b/fs/namespace.c
> index cb40449ea0df..1105a577a14f 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -1896,9 +1896,6 @@ static int change_mount_flags(struct vfsmount *mnt, int ms_flags)
>  	if (readonly_request == __mnt_is_readonly(mnt))
>  		return 0;
>  
> -	if (mnt->mnt_flags & MNT_LOCK_READONLY)
> -		return -EPERM;
> -
>  	if (readonly_request)
>  		error = mnt_make_readonly(real_mount(mnt));
>  	else
> @@ -1924,6 +1921,16 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
>  	if (path->dentry != path->mnt->mnt_root)
>  		return -EINVAL;
>  
> +	/* Don't allow changing of locked mnt flags.
> +	 *
> +	 * No locks need to be held here while testing the various
> +	 * MNT_LOCK flags because those flags can never be cleared
> +	 * once they are set.
> +	 */
> +	if ((mnt->mnt.mnt_flags & MNT_LOCK_READONLY) &&
> +	    !(mnt_flags & MNT_READONLY)) {
> +		return -EPERM;
> +	}
>  	err = security_sb_remount(sb, data);
>  	if (err)
>  		return err;
> -- 
> 1.9.1
> 

  parent reply	other threads:[~2014-07-31 23:11 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <87fvih4a99.fsf@x220.int.ebiederm.org>
     [not found] ` <CAObL_7FfacSTdO=JEfYyqQrp8qOSob6qoWrGN=rSM5t9ckkTWg@mail.gmail.com>
     [not found]   ` <8761injfj9.fsf_-_@x220.int.ebiederm.org>
     [not found]     ` <CAObL_7GhpuO4m6HunKvNMSpiEYBuaJnvjfVDiyG88GZ8HOa-vg@mail.gmail.com>
     [not found]       ` <CAOP=4wgKGxJmLwSHYRKXCTva_Fyzn+D1vaWhtT-mo_t9Uu68zA@mail.gmail.com>
     [not found]         ` <87lhrihaan.fsf@x220.int.ebiederm.org>
     [not found]           ` <CAObL_7HSNkM=Kr9Jwc9JB7Zt7ZdR+skzmPrxYcFSkCutFDA5KA@mail.gmail.com>
     [not found]             ` <20140724194920.GU26600@ubuntumail>
     [not found]               ` <CAOP=4wh-AXf7qPy0rPaQ6RFbbJGRWKo0h1Rn=9vLUeJ6b6Q7YA@mail.gmail.com>
     [not found]                 ` <8738dqh2j1.fsf@x220.int.ebiederm.org>
     [not found]                   ` <20140725060810.GC31313@1wt.eu>
     [not found]                     ` <877g2xou2u.fsf@x220.int.ebiederm.org>
     [not found]                       ` <87r415nf3k.fsf_-_@x220.int.ebiederm.org>
     [not found]                         ` <874my1neyr.fsf_-_@x220.int.ebiederm.org>
     [not found]                           ` <CAOP=4wj7m+w4aDJCuQaf3r9aFraPN1SvPgFSz=_UNkyC8gEHyQ@mail.gmail.com>
     [not found]                             ` <CAOP=4wj7m+w4aDJCuQaf3r9aFraPN1SvPgFSz=_UNkyC8gEHyQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-07-30  3:38                               ` [REVIEW][0/5] Fixing unprivileged mount -o remount,ro Eric W. Biederman
2014-07-30  3:41                               ` Eric W. Biederman
     [not found]                                 ` <87ppgnjyx4.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-07-30  3:52                                   ` [REVIEW][PATCH 1/5] mnt: Only change user settable mount flags in remount Eric W. Biederman
     [not found]                                     ` <87ha1zjyf0.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-07-31 23:13                                       ` Serge Hallyn
2014-08-01  0:10                                         ` Eric W. Biederman
2014-07-30  3:53                                   ` [REVIEW][PATCH 2/5] mnt: Move the test for MNT_LOCK_READONLY from change_mount_flags into do_remount Eric W. Biederman
     [not found]                                     ` <87bns7jye1.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-07-31 23:11                                       ` Serge Hallyn [this message]
2014-07-30  3:53                                   ` [REVIEW][PATCH 3/5] mnt: Correct permission checks in do_remount Eric W. Biederman
     [not found]                                     ` <877g2vjyd7.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-07-31 23:06                                       ` Serge Hallyn
2014-07-30  3:54                                   ` [REVIEW][PATCH 4/5] mnt: Change the default remount atime from relatime to the existing value Eric W. Biederman
     [not found]                                     ` <871tt3jycd.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-07-31 22:59                                       ` Serge Hallyn
2014-07-30  3:55                                   ` [REVIEW][PATCH 5/5] mnt: Add tests for unprivileged remount cases that have found to be faulty Eric W. Biederman
     [not found]                                     ` <87vbqfijq0.fsf_-_-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-07-31 22:48                                       ` Serge Hallyn
2014-07-31 22:52                                         ` Eric W. Biederman
     [not found]                                           ` <87fvhhdtua.fsf-JOvCrm2gF+uungPnsOpG7nhyD016LWXt@public.gmane.org>
2014-07-31 23:15                                             ` Serge Hallyn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140731231141.GD7954@ubuntumail \
    --to=serge.hallyn-gewih/nmzzlqt0dzr+alfa@public.gmane.org \
    --cc=andy-RHosVwM/Cj8@public.gmane.org \
    --cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
    --cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
    --cc=security-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
    --cc=viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org \
    --cc=w@1wt.eu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.