[PATCH] umount: Allow superblock owners to force umount

[PATCH] umount: Allow superblock owners to force umount

[trondmy]

From: Trond Myklebust <trond.myklebust@hammerspace.com>

Loosen the permission check on forced umount to allow users holding
CAP_SYS_ADMIN privileges in namespaces that are privileged with respect
to the userns that originally mounted the filesystem.

Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
---
 fs/namespace.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/namespace.c b/fs/namespace.c
index 8f1000f9f3df..d401486fe95d 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2026,6 +2026,7 @@ static void warn_mandlock(void)
 static int can_umount(const struct path *path, int flags)
 {
 	struct mount *mnt = real_mount(path->mnt);
+	struct super_block *sb = path->dentry->d_sb;
 
 	if (!may_mount())
 		return -EPERM;
@@ -2035,7 +2036,7 @@ static int can_umount(const struct path *path, int flags)
 		return -EINVAL;
 	if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */
 		return -EINVAL;
-	if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))
+	if (flags & MNT_FORCE && !ns_capable(sb->s_user_ns, CAP_SYS_ADMIN))
 		return -EPERM;
 	return 0;
 }
-- 
2.48.1

Re: [PATCH] umount: Allow superblock owners to force umount

[Eric W. Biederman]

trondmy@kernel.org writes:

> From: Trond Myklebust <trond.myklebust@hammerspace.com>
>
> Loosen the permission check on forced umount to allow users holding
> CAP_SYS_ADMIN privileges in namespaces that are privileged with respect
> to the userns that originally mounted the filesystem.

Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>

Semantically this seems reasonable.  I think forced umounts just got
overlooked when I was relaxing the other permission checks, to allow
things if you own the superblock.

The code has already checked you have permissions on the current mount
namespace.  Which was my immediate concern looking at the code.

Eric

> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
> ---
>  fs/namespace.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/namespace.c b/fs/namespace.c
> index 8f1000f9f3df..d401486fe95d 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -2026,6 +2026,7 @@ static void warn_mandlock(void)
>  static int can_umount(const struct path *path, int flags)
>  {
>  	struct mount *mnt = real_mount(path->mnt);
> +	struct super_block *sb = path->dentry->d_sb;
>  
>  	if (!may_mount())
>  		return -EPERM;
> @@ -2035,7 +2036,7 @@ static int can_umount(const struct path *path, int flags)
>  		return -EINVAL;
>  	if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */
>  		return -EINVAL;
> -	if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))
> +	if (flags & MNT_FORCE && !ns_capable(sb->s_user_ns, CAP_SYS_ADMIN))
>  		return -EPERM;
>  	return 0;
>  }

Re: [PATCH] umount: Allow superblock owners to force umount

[Christian Brauner]

On Tue, 18 Mar 2025 12:29:21 -0400, trondmy@kernel.org wrote:
> Loosen the permission check on forced umount to allow users holding
> CAP_SYS_ADMIN privileges in namespaces that are privileged with respect
> to the userns that originally mounted the filesystem.
> 
> 

Sensible.

---

Applied to the vfs-6.15.mount branch of the vfs/vfs.git tree.
Patches in the vfs-6.15.mount branch should appear in linux-next soon.

Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.

It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.

Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs-6.15.mount

[1/1] umount: Allow superblock owners to force umount
      https://git.kernel.org/vfs/vfs/c/e1ff7aa34dec

Re: [PATCH] umount: Allow superblock owners to force umount

[Jeff Layton]

On Tue, 2025-03-18 at 12:29 -0400, trondmy@kernel.org wrote:
> From: Trond Myklebust <trond.myklebust@hammerspace.com>
> 
> Loosen the permission check on forced umount to allow users holding
> CAP_SYS_ADMIN privileges in namespaces that are privileged with respect
> to the userns that originally mounted the filesystem.
> 
> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
> ---
>  fs/namespace.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/namespace.c b/fs/namespace.c
> index 8f1000f9f3df..d401486fe95d 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -2026,6 +2026,7 @@ static void warn_mandlock(void)
>  static int can_umount(const struct path *path, int flags)
>  {
>  	struct mount *mnt = real_mount(path->mnt);
> +	struct super_block *sb = path->dentry->d_sb;
>  
>  	if (!may_mount())
>  		return -EPERM;
> @@ -2035,7 +2036,7 @@ static int can_umount(const struct path *path, int flags)
>  		return -EINVAL;
>  	if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */
>  		return -EINVAL;
> -	if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))
> +	if (flags & MNT_FORCE && !ns_capable(sb->s_user_ns, CAP_SYS_ADMIN))
>  		return -EPERM;
>  	return 0;
>  }

Reviewed-by: Jeff Layton <jlayton@kernel.org>