move the capability checks from sget_userns() to legacy_get_tree()
1) all call chains leading to sget_userns() pass through ->mount() instances. 2) none of ->mount() instances is ever called directly - the only call site is legacy_get_tree() 3) all remaining ->mount() instances end up calling sget_userns() IOW, we might as well do the capability checks just before calling ->mount(). As for the arguments passed to mount_capable(), in case of call chains to sget_userns() going through sget(), we either don't call mount_capable() at all, or pass current_user_ns() to it. The call chains going through mount_pseudo_xattr() don't call mount_capable() at all (SB_KERNMOUNT in flags on those). That could've been split into smaller steps (lifting the checks into sget(), then callers of sget(), then all the way to the entries of every ->mount() out there, then to the sole caller), but that would be too much churn for little benefit... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
Al Viro
parent
bb7b6b2bbd
commit
2527b284de
@ -662,6 +662,11 @@ static int legacy_get_tree(struct fs_context *fc)
|
|||||||
struct super_block *sb;
|
struct super_block *sb;
|
||||||
struct dentry *root;
|
struct dentry *root;
|
||||||
|
|
||||||
|
if (!(fc->sb_flags & (SB_KERNMOUNT|SB_SUBMOUNT))) {
|
||||||
|
if (!mount_capable(fc->fs_type, current_user_ns()))
|
||||||
|
return -EPERM;
|
||||||
|
}
|
||||||
|
|
||||||
root = fc->fs_type->mount(fc->fs_type, fc->sb_flags,
|
root = fc->fs_type->mount(fc->fs_type, fc->sb_flags,
|
||||||
fc->source, ctx->legacy_data);
|
fc->source, ctx->legacy_data);
|
||||||
if (IS_ERR(root))
|
if (IS_ERR(root))
|
||||||
|
|||||||
@ -18,6 +18,7 @@ struct path;
|
|||||||
struct mount;
|
struct mount;
|
||||||
struct shrink_control;
|
struct shrink_control;
|
||||||
struct fs_context;
|
struct fs_context;
|
||||||
|
struct user_namespace;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* block_dev.c
|
* block_dev.c
|
||||||
@ -113,6 +114,7 @@ extern struct file *alloc_empty_file_noaccount(int, const struct cred *);
|
|||||||
extern int reconfigure_super(struct fs_context *);
|
extern int reconfigure_super(struct fs_context *);
|
||||||
extern bool trylock_super(struct super_block *sb);
|
extern bool trylock_super(struct super_block *sb);
|
||||||
extern struct super_block *user_get_super(dev_t);
|
extern struct super_block *user_get_super(dev_t);
|
||||||
|
extern bool mount_capable(struct file_system_type *, struct user_namespace *);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* open.c
|
* open.c
|
||||||
|
|||||||
@ -583,10 +583,6 @@ struct super_block *sget_userns(struct file_system_type *type,
|
|||||||
struct super_block *old;
|
struct super_block *old;
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
if (!(flags & (SB_KERNMOUNT|SB_SUBMOUNT))) {
|
|
||||||
if (!mount_capable(type, user_ns))
|
|
||||||
return ERR_PTR(-EPERM);
|
|
||||||
}
|
|
||||||
retry:
|
retry:
|
||||||
spin_lock(&sb_lock);
|
spin_lock(&sb_lock);
|
||||||
if (test) {
|
if (test) {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user