Re: [PATCH] vfs: move_mount: reject moving kernel internal mounts

From: Al Viro
Date: Sun Jun 30 2019 - 21:08:52 EST


On Sat, Jun 29, 2019 at 09:39:16PM +0100, Al Viro wrote:
> On Sat, Jun 29, 2019 at 01:27:44PM -0700, Eric Biggers wrote:
>
> > @@ -2600,7 +2600,7 @@ static int do_move_mount(struct path *old_path, struct path *new_path)
> > if (attached && !check_mnt(old))
> > goto out;
> >
> > - if (!attached && !(ns && is_anon_ns(ns)))
> > + if (!attached && !(ns && ns != MNT_NS_INTERNAL && is_anon_ns(ns)))
> > goto out;
> >
> > if (old->mnt.mnt_flags & MNT_LOCKED)
>
> *UGH*
>
> Applied, but that code is getting really ugly ;-/

FWIW, it's too ugly and confusing. Look:
/* The mountpoint must be in our namespace. */
if (!check_mnt(p))
goto out;

/* The thing moved should be either ours or completely unattached. */
if (attached && !check_mnt(old))
goto out;

if (!attached && !(ns && ns != MNT_NS_INTERNAL && is_anon_ns(ns)))
goto out;

OK, the first check is sane and understandable. But let's look at what's
coming after it. We have two cases:
1) attached. IOW, old->mnt_parent != old. In that case we
require old->mnt_ns == current mnt_ns. Anything else is rejected.
2) !attached. old->mnt_parent == old. In that case we
require old->mnt_ns to be an anon namespace.

Let's reorder that a bit:
/* The mountpoint must be in our namespace. */
if (!check_mnt(p))
goto out;

/* The thing moved must be mounted... */
if (!is_mounted(old_path->mnt))
goto out;

/* ... and either ours or the root of anon namespace */
if (!(attached ? check_mnt(old) : is_anon_ns(ns)))
goto out;

IMO that looks saner and all it costs us is a redundant check
in attached case. Objections?