get rid of unprotected dereferencing of mnt->mnt_ns

commit 9b40bc90 upstream. It's safe only under namespace_sem or vfsmount_lock; all places in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in there). Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

get rid of unprotected dereferencing of mnt->mnt_ns
commit 9b40bc90 upstream. It's safe only under namespace_sem or vfsmount_lock; all places in fs/namespace.c that want mnt->mnt_ns->user_ns actually want to use current->nsproxy->mnt_ns->user_ns (note the calls of check_mnt() in there). Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
a21a1cac · Al Viro · Greg Kroah-Hartman · 0f4b4029 · a21a1cac
Commit a21a1cac authored Feb 22, 2013 by Al Viro Committed by Greg Kroah-Hartman Feb 28, 2013
Show whitespace changes
Inline Side-by-side

Showing with 17 additions and 12 deletions

fs/namespace.c fs/namespace.c +17 -12

No files found.
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1237,6 +1237,14 @@ static int do_umount(struct mount *mnt, int flags)
 	return retval;
 }

+/*
+ * Is the caller allowed to modify his namespace?
+ */
+static inline bool may_mount(void)
+{
+	return ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN);
+}
+
 /*
 * Now umount can handle mount points as well as block devices.
 * This is important for filesystems which use unnamed block devices.
@@ -1255,6 +1263,9 @@ SYSCALL_DEFINE2(umount, char __user *, name, int, flags)
 	if (flags & ~(MNT_FORCE | MNT_DETACH | MNT_EXPIRE | UMOUNT_NOFOLLOW))
 		return -EINVAL;

+	if (!may_mount())
+		return -EPERM;
+
 	if (!(flags & UMOUNT_NOFOLLOW))
 		lookup_flags |= LOOKUP_FOLLOW;

@@ -1268,10 +1279,6 @@ SYSCALL_DEFINE2(umount, char __user *, name, int, flags)
 	if (!check_mnt(mnt))
 		goto dput_and_out;

-	retval = -EPERM;
-	if (!ns_capable(mnt->mnt_ns->user_ns, CAP_SYS_ADMIN))
-		goto dput_and_out;
-
 	retval = do_umount(mnt, flags);
 dput_and_out:
 	/* we mustn't call path_put() as that would clear mnt_expiry_mark */
@@ -1295,7 +1302,7 @@ SYSCALL_DEFINE1(oldumount, char __user *, name)

 static int mount_is_safe(struct path *path)
 {
-	if (ns_capable(real_mount(path->mnt)->mnt_ns->user_ns, CAP_SYS_ADMIN))
+	if (may_mount())
 		return 0;
 	return -EPERM;
 #ifdef notyet
@@ -1633,7 +1640,7 @@ static int do_change_type(struct path *path, int flag)
 	int type;
 	int err = 0;

-	if (!ns_capable(mnt->mnt_ns->user_ns, CAP_SYS_ADMIN))
+	if (!may_mount())
 		return -EPERM;

 	if (path->dentry != path->mnt->mnt_root)
@@ -1797,7 +1804,7 @@ static int do_move_mount(struct path *path, const char *old_name)
 	struct mount *p;
 	struct mount *old;
 	int err = 0;
-	if (!ns_capable(real_mount(path->mnt)->mnt_ns->user_ns, CAP_SYS_ADMIN))
+	if (!may_mount())
 		return -EPERM;
 	if (!old_name || !*old_name)
 		return -EINVAL;
@@ -1933,16 +1940,14 @@ static int do_new_mount(struct path *path, const char *fstype, int flags,
 			int mnt_flags, const char *name, void *data)
 {
 	struct file_system_type *type;
-	struct user_namespace *user_ns;
+	struct user_namespace *user_ns = current->nsproxy->mnt_ns->user_ns;
 	struct vfsmount *mnt;
 	int err;

 	if (!fstype)
 		return -EINVAL;

-	/* we need capabilities... */
-	user_ns = real_mount(path->mnt)->mnt_ns->user_ns;
-	if (!ns_capable(user_ns, CAP_SYS_ADMIN))
+	if (!may_mount())
 		return -EPERM;

 	type = get_fs_type(fstype);
@@ -2567,7 +2572,7 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
 	struct mount *new_mnt, *root_mnt;
 	int error;

-	if (!ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN))
+	if (!may_mount())
 		return -EPERM;

 	error = user_path_dir(new_root, &new);