| From 695e9df010e40f407f4830dc11d53dce957710ba Mon Sep 17 00:00:00 2001 |
| From: "Eric W. Biederman" <ebiederm@xmission.com> |
| Date: Fri, 10 Jun 2016 12:21:40 -0500 |
| Subject: mnt: Account for MS_RDONLY in fs_fully_visible |
| |
| From: Eric W. Biederman <ebiederm@xmission.com> |
| |
| commit 695e9df010e40f407f4830dc11d53dce957710ba upstream. |
| |
| In rare cases it is possible for s_flags & MS_RDONLY to be set but |
| MNT_READONLY to be clear. This starting combination can cause |
| fs_fully_visible to fail to ensure that the new mount is readonly. |
| Therefore force MNT_LOCK_READONLY in the new mount if MS_RDONLY |
| is set on the source filesystem of the mount. |
| |
| In general both MS_RDONLY and MNT_READONLY are set at the same for |
| mounts so I don't expect any programs to care. Nor do I expect |
| MS_RDONLY to be set on proc or sysfs in the initial user namespace, |
| which further decreases the likelyhood of problems. |
| |
| Which means this change should only affect system configurations by |
| paranoid sysadmins who should welcome the additional protection |
| as it keeps people from wriggling out of their policies. |
| |
| Fixes: 8c6cf9cc829f ("mnt: Modify fs_fully_visible to deal with locked ro nodev and atime") |
| Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/namespace.c | 4 ++++ |
| 1 file changed, 4 insertions(+) |
| |
| --- a/fs/namespace.c |
| +++ b/fs/namespace.c |
| @@ -3236,6 +3236,10 @@ static bool fs_fully_visible(struct file |
| if (mnt->mnt.mnt_sb->s_iflags & SB_I_NOEXEC) |
| mnt_flags &= ~(MNT_LOCK_NOSUID | MNT_LOCK_NOEXEC); |
| |
| + /* Don't miss readonly hidden in the superblock flags */ |
| + if (mnt->mnt.mnt_sb->s_flags & MS_RDONLY) |
| + mnt_flags |= MNT_LOCK_READONLY; |
| + |
| /* Verify the mount flags are equal to or more permissive |
| * than the proposed new mount. |
| */ |