Re: [PATCH v1] fs/namespace: fix unprivileged mount propagation

From: Al Viro
Date: Mon Jun 17 2019 - 17:37:21 EST

On Mon, Jun 17, 2019 at 11:22:14PM +0200, Christian Brauner wrote:
> When propagating mounts across mount namespaces owned by different user
> namespaces it is not possible anymore to move or umount the mount in the
> less privileged mount namespace.
> Here is a reproducer:
> sudo mount -t tmpfs tmpfs /mnt
> sudo --make-rshared /mnt
> # create unprivileged user + mount namespace and preserve propagation
> unshare -U -m --map-root --propagation=unchanged
> # now change back to the original mount namespace in another terminal:
> sudo mkdir /mnt/aaa
> sudo mount -t tmpfs tmpfs /mnt/aaa
> # now in the unprivileged user + mount namespace
> mount --move /mnt/aaa /opt
> Unfortunately, this is a pretty big deal for userspace since this is
> e.g. used to inject mounts into running unprivileged containers.
> So this regression really needs to go away rather quickly.
> The problem is that a recent change falsely locked the root of the newly
> added mounts by setting MNT_LOCKED. Fix this by only locking the mounts
> on copy_mnt_ns() and not when adding a new mount.

Applied. Linus, if you want to apply it directly, feel free to add my
Acked-by. Alternatively, wait until tonight and I'll send a pull request
with that (as well as missing mntget() in fsmount(2) fix, at least).

Al, down to ~3Kmail in the pile...