• Eric W. Biederman's avatar
    vfs: Lock in place mounts from more privileged users · 5ff9d8a6
    Eric W. Biederman authored
    When creating a less privileged mount namespace or propogating mounts
    from a more privileged to a less privileged mount namespace lock the
    submounts so they may not be unmounted individually in the child mount
    namespace revealing what is under them.
    
    This enforces the reasonable expectation that it is not possible to
    see under a mount point.  Most of the time mounts are on empty
    directories and revealing that does not matter, however I have seen an
    occassionaly sloppy configuration where there were interesting things
    concealed under a mount point that probably should not be revealed.
    
    Expirable submounts are not locked because they will eventually
    unmount automatically so whatever is under them already needs
    to be safe for unprivileged users to access.
    
    From a practical standpoint these restrictions do not appear to be
    significant for unprivileged users of the mount namespace.  Recursive
    bind mounts and pivot_root continues to work, and mounts that are
    created in a mount namespace may be unmounted there.  All of which
    means that the common idiom of keeping a directory of interesting
    files and using pivot_root to throw everything else away continues to
    work just fine.
    Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
    Acked-by: default avatarAndy Lutomirski <luto@amacapital.net>
    Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
    5ff9d8a6
namespace.c 70.6 KB