From: Al Viro <viro@zeniv.linux.org.uk>
To: "KONDO KAZUMA(近藤 和真)" <kazuma-kondo@nec.com>
Cc: "brauner@kernel.org" <brauner@kernel.org>,
"jack@suse.cz" <jack@suse.cz>,
"mike@mbaynton.com" <mike@mbaynton.com>,
"miklos@szeredi.hu" <miklos@szeredi.hu>,
"amir73il@gmail.com" <amir73il@gmail.com>,
"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
"linux-unionfs@vger.kernel.org" <linux-unionfs@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] fs: allow clone_private_mount() for a path on real rootfs
Date: Wed, 14 May 2025 20:02:52 +0100 [thread overview]
Message-ID: <20250514190252.GQ2023217@ZenIV> (raw)
In-Reply-To: <9138a96b-3df0-455a-9059-287a98356c4c@nec.com>
On Wed, May 14, 2025 at 08:37:54AM +0000, KONDO KAZUMA(近藤 和真) wrote:
> On 2025/05/14 11:43, Al Viro wrote:
> > On Wed, May 14, 2025 at 12:25:58AM +0000, KONDO KAZUMA(近藤 和真) wrote:
> >
> >> @@ -2482,17 +2482,13 @@ struct vfsmount *clone_private_mount(const struct path *path)
> >> if (IS_MNT_UNBINDABLE(old_mnt))
> >> return ERR_PTR(-EINVAL);
> >>
> >> - if (mnt_has_parent(old_mnt)) {
> >> + if (!is_mounted(&old_mnt->mnt))
> >> + return ERR_PTR(-EINVAL);
> >> +
> >> + if (mnt_has_parent(old_mnt) || !is_anon_ns(old_mnt->mnt_ns)) {
> >> if (!check_mnt(old_mnt))
> >> return ERR_PTR(-EINVAL);
> >> } else {
> >> - if (!is_mounted(&old_mnt->mnt))
> >> - return ERR_PTR(-EINVAL);
> >> -
> >> - /* Make sure this isn't something purely kernel internal. */
> >> - if (!is_anon_ns(old_mnt->mnt_ns))
> >> - return ERR_PTR(-EINVAL);
> >> -
> >> /* Make sure we don't create mount namespace loops. */
> >> if (!check_for_nsfs_mounts(old_mnt))
> >> return ERR_PTR(-EINVAL);
> >
> > Not the right way to do that. What we want is
> >
> > /* ours are always fine */
> > if (!check_mnt(old_mnt)) {
> > /* they'd better be mounted _somewhere */
> > if (!is_mounted(old_mnt))
> > return -EINVAL;
> > /* no other real namespaces; only anon */
> > if (!is_anon_ns(old_mnt->mnt_ns))
> > return -EINVAL;
> > /* ... and root of that anon */
> > if (mnt_has_parent(old_mnt))
> > return -EINVAL;
> > /* Make sure we don't create mount namespace loops. */
> > if (!check_for_nsfs_mounts(old_mnt))
> > return ERR_PTR(-EINVAL);
> > }
>
> Hello Al Viro,
>
> Thank you for your comment.
> That code can solve my problem, and it seems to be better!
BTW, see https://lore.kernel.org/all/20250506194849.GT2023217@ZenIV/ for
discussion about a week ago when that got noticed:
|| In case of clone_private_mount(), though, there's nothing wrong
|| with "clone me a subtree of absolute root", so it has to be
|| done other way round - check if it's ours first, then in "not
|| ours" case check that it's a root of anon namespace.
||
|| Failing btrfs mount has ended up with upper layer pathname
|| pointing to initramfs directory where btrfs would've been
|| mounted, which had walked into that corner case. In your
|| case the problem has already happened by that point, but on
|| a setup a-la X Terminal it would cause trouble...
Looks like such setups are less theoretical than I thought.
> So, I will revise my patch and resend it.
Probably worth gathering the comments in one place. Something like
/*
* Check if the source is acceptable; anything mounted in
* our namespace is fine, otherwise it must be the root of
* some anon namespace and we need to make sure no namespace
* loops get created.
*/
if (!check_mnt(old_mnt)) {
if (!is_mounted(&old_mnt->mnt) ||
!is_anon_ns(old_mnt->mnt_ns) ||
mnt_has_parent(old_mnt))
return ERR_PTR(-EINVAL);
if (!check_for_nsfs_mounts(old_mnt))
return ERR_PTR(-EINVAL);
}
might be easier to follow.
next prev parent reply other threads:[~2025-05-14 19:02 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-14 0:25 [PATCH] fs: allow clone_private_mount() for a path on real rootfs KONDO KAZUMA(近藤 和真)
2025-05-14 2:43 ` Al Viro
2025-05-14 8:37 ` KONDO KAZUMA(近藤 和真)
2025-05-14 19:02 ` Al Viro [this message]
2025-05-15 12:12 ` KONDO KAZUMA(近藤 和真)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250514190252.GQ2023217@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=amir73il@gmail.com \
--cc=brauner@kernel.org \
--cc=jack@suse.cz \
--cc=kazuma-kondo@nec.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-unionfs@vger.kernel.org \
--cc=mike@mbaynton.com \
--cc=miklos@szeredi.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.