1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * linux/fs/namespace.c
4 *
5 * (C) Copyright Al Viro 2000, 2001
6 *
7 * Based on code from fs/super.c, copyright Linus Torvalds and others.
8 * Heavily rewritten.
9 */
10
11 #include <linux/syscalls.h>
12 #include <linux/export.h>
13 #include <linux/capability.h>
14 #include <linux/mnt_namespace.h>
15 #include <linux/user_namespace.h>
16 #include <linux/namei.h>
17 #include <linux/security.h>
18 #include <linux/cred.h>
19 #include <linux/idr.h>
20 #include <linux/init.h> /* init_rootfs */
21 #include <linux/fs_struct.h> /* get_fs_root et.al. */
22 #include <linux/fsnotify.h> /* fsnotify_vfsmount_delete */
23 #include <linux/file.h>
24 #include <linux/uaccess.h>
25 #include <linux/proc_ns.h>
26 #include <linux/magic.h>
27 #include <linux/memblock.h>
28 #include <linux/proc_fs.h>
29 #include <linux/task_work.h>
30 #include <linux/sched/task.h>
31 #include <uapi/linux/mount.h>
32 #include <linux/fs_context.h>
33 #include <linux/shmem_fs.h>
34 #include <linux/mnt_idmapping.h>
35 #include <linux/pidfs.h>
36
37 #include "pnode.h"
38 #include "internal.h"
39
40 /* Maximum number of mounts in a mount namespace */
41 static unsigned int sysctl_mount_max __read_mostly = 100000;
42
43 static unsigned int m_hash_mask __ro_after_init;
44 static unsigned int m_hash_shift __ro_after_init;
45 static unsigned int mp_hash_mask __ro_after_init;
46 static unsigned int mp_hash_shift __ro_after_init;
47
48 static __initdata unsigned long mhash_entries;
set_mhash_entries(char * str)49 static int __init set_mhash_entries(char *str)
50 {
51 if (!str)
52 return 0;
53 mhash_entries = simple_strtoul(str, &str, 0);
54 return 1;
55 }
56 __setup("mhash_entries=", set_mhash_entries);
57
58 static __initdata unsigned long mphash_entries;
set_mphash_entries(char * str)59 static int __init set_mphash_entries(char *str)
60 {
61 if (!str)
62 return 0;
63 mphash_entries = simple_strtoul(str, &str, 0);
64 return 1;
65 }
66 __setup("mphash_entries=", set_mphash_entries);
67
68 static u64 event;
69 static DEFINE_XARRAY_FLAGS(mnt_id_xa, XA_FLAGS_ALLOC);
70 static DEFINE_IDA(mnt_group_ida);
71
72 /* Don't allow confusion with old 32bit mount ID */
73 #define MNT_UNIQUE_ID_OFFSET (1ULL << 31)
74 static u64 mnt_id_ctr = MNT_UNIQUE_ID_OFFSET;
75
76 static struct hlist_head *mount_hashtable __ro_after_init;
77 static struct hlist_head *mountpoint_hashtable __ro_after_init;
78 static struct kmem_cache *mnt_cache __ro_after_init;
79 static DECLARE_RWSEM(namespace_sem);
80 static HLIST_HEAD(unmounted); /* protected by namespace_sem */
81 static LIST_HEAD(ex_mountpoints); /* protected by namespace_sem */
82 static DEFINE_SEQLOCK(mnt_ns_tree_lock);
83
84 #ifdef CONFIG_FSNOTIFY
85 LIST_HEAD(notify_list); /* protected by namespace_sem */
86 #endif
87 static struct rb_root mnt_ns_tree = RB_ROOT; /* protected by mnt_ns_tree_lock */
88 static LIST_HEAD(mnt_ns_list); /* protected by mnt_ns_tree_lock */
89
90 enum mount_kattr_flags_t {
91 MOUNT_KATTR_RECURSE = (1 << 0),
92 MOUNT_KATTR_IDMAP_REPLACE = (1 << 1),
93 };
94
95 struct mount_kattr {
96 unsigned int attr_set;
97 unsigned int attr_clr;
98 unsigned int propagation;
99 unsigned int lookup_flags;
100 enum mount_kattr_flags_t kflags;
101 struct user_namespace *mnt_userns;
102 struct mnt_idmap *mnt_idmap;
103 };
104
105 /* /sys/fs */
106 struct kobject *fs_kobj __ro_after_init;
107 EXPORT_SYMBOL_GPL(fs_kobj);
108
109 /*
110 * vfsmount lock may be taken for read to prevent changes to the
111 * vfsmount hash, ie. during mountpoint lookups or walking back
112 * up the tree.
113 *
114 * It should be taken for write in all cases where the vfsmount
115 * tree or hash is modified or when a vfsmount structure is modified.
116 */
117 __cacheline_aligned_in_smp DEFINE_SEQLOCK(mount_lock);
118
node_to_mnt_ns(const struct rb_node * node)119 static inline struct mnt_namespace *node_to_mnt_ns(const struct rb_node *node)
120 {
121 if (!node)
122 return NULL;
123 return rb_entry(node, struct mnt_namespace, mnt_ns_tree_node);
124 }
125
mnt_ns_cmp(struct rb_node * a,const struct rb_node * b)126 static int mnt_ns_cmp(struct rb_node *a, const struct rb_node *b)
127 {
128 struct mnt_namespace *ns_a = node_to_mnt_ns(a);
129 struct mnt_namespace *ns_b = node_to_mnt_ns(b);
130 u64 seq_a = ns_a->seq;
131 u64 seq_b = ns_b->seq;
132
133 if (seq_a < seq_b)
134 return -1;
135 if (seq_a > seq_b)
136 return 1;
137 return 0;
138 }
139
mnt_ns_tree_write_lock(void)140 static inline void mnt_ns_tree_write_lock(void)
141 {
142 write_seqlock(&mnt_ns_tree_lock);
143 }
144
mnt_ns_tree_write_unlock(void)145 static inline void mnt_ns_tree_write_unlock(void)
146 {
147 write_sequnlock(&mnt_ns_tree_lock);
148 }
149
mnt_ns_tree_add(struct mnt_namespace * ns)150 static void mnt_ns_tree_add(struct mnt_namespace *ns)
151 {
152 struct rb_node *node, *prev;
153
154 mnt_ns_tree_write_lock();
155 node = rb_find_add_rcu(&ns->mnt_ns_tree_node, &mnt_ns_tree, mnt_ns_cmp);
156 /*
157 * If there's no previous entry simply add it after the
158 * head and if there is add it after the previous entry.
159 */
160 prev = rb_prev(&ns->mnt_ns_tree_node);
161 if (!prev)
162 list_add_rcu(&ns->mnt_ns_list, &mnt_ns_list);
163 else
164 list_add_rcu(&ns->mnt_ns_list, &node_to_mnt_ns(prev)->mnt_ns_list);
165 mnt_ns_tree_write_unlock();
166
167 WARN_ON_ONCE(node);
168 }
169
mnt_ns_release(struct mnt_namespace * ns)170 static void mnt_ns_release(struct mnt_namespace *ns)
171 {
172 /* keep alive for {list,stat}mount() */
173 if (refcount_dec_and_test(&ns->passive)) {
174 fsnotify_mntns_delete(ns);
175 put_user_ns(ns->user_ns);
176 kfree(ns);
177 }
178 }
DEFINE_FREE(mnt_ns_release,struct mnt_namespace *,if (_T)mnt_ns_release (_T))179 DEFINE_FREE(mnt_ns_release, struct mnt_namespace *, if (_T) mnt_ns_release(_T))
180
181 static void mnt_ns_release_rcu(struct rcu_head *rcu)
182 {
183 mnt_ns_release(container_of(rcu, struct mnt_namespace, mnt_ns_rcu));
184 }
185
mnt_ns_tree_remove(struct mnt_namespace * ns)186 static void mnt_ns_tree_remove(struct mnt_namespace *ns)
187 {
188 /* remove from global mount namespace list */
189 if (!is_anon_ns(ns)) {
190 mnt_ns_tree_write_lock();
191 rb_erase(&ns->mnt_ns_tree_node, &mnt_ns_tree);
192 list_bidir_del_rcu(&ns->mnt_ns_list);
193 mnt_ns_tree_write_unlock();
194 }
195
196 call_rcu(&ns->mnt_ns_rcu, mnt_ns_release_rcu);
197 }
198
mnt_ns_find(const void * key,const struct rb_node * node)199 static int mnt_ns_find(const void *key, const struct rb_node *node)
200 {
201 const u64 mnt_ns_id = *(u64 *)key;
202 const struct mnt_namespace *ns = node_to_mnt_ns(node);
203
204 if (mnt_ns_id < ns->seq)
205 return -1;
206 if (mnt_ns_id > ns->seq)
207 return 1;
208 return 0;
209 }
210
211 /*
212 * Lookup a mount namespace by id and take a passive reference count. Taking a
213 * passive reference means the mount namespace can be emptied if e.g., the last
214 * task holding an active reference exits. To access the mounts of the
215 * namespace the @namespace_sem must first be acquired. If the namespace has
216 * already shut down before acquiring @namespace_sem, {list,stat}mount() will
217 * see that the mount rbtree of the namespace is empty.
218 *
219 * Note the lookup is lockless protected by a sequence counter. We only
220 * need to guard against false negatives as false positives aren't
221 * possible. So if we didn't find a mount namespace and the sequence
222 * counter has changed we need to retry. If the sequence counter is
223 * still the same we know the search actually failed.
224 */
lookup_mnt_ns(u64 mnt_ns_id)225 static struct mnt_namespace *lookup_mnt_ns(u64 mnt_ns_id)
226 {
227 struct mnt_namespace *ns;
228 struct rb_node *node;
229 unsigned int seq;
230
231 guard(rcu)();
232 do {
233 seq = read_seqbegin(&mnt_ns_tree_lock);
234 node = rb_find_rcu(&mnt_ns_id, &mnt_ns_tree, mnt_ns_find);
235 if (node)
236 break;
237 } while (read_seqretry(&mnt_ns_tree_lock, seq));
238
239 if (!node)
240 return NULL;
241
242 /*
243 * The last reference count is put with RCU delay so we can
244 * unconditonally acquire a reference here.
245 */
246 ns = node_to_mnt_ns(node);
247 refcount_inc(&ns->passive);
248 return ns;
249 }
250
lock_mount_hash(void)251 static inline void lock_mount_hash(void)
252 {
253 write_seqlock(&mount_lock);
254 }
255
unlock_mount_hash(void)256 static inline void unlock_mount_hash(void)
257 {
258 write_sequnlock(&mount_lock);
259 }
260
m_hash(struct vfsmount * mnt,struct dentry * dentry)261 static inline struct hlist_head *m_hash(struct vfsmount *mnt, struct dentry *dentry)
262 {
263 unsigned long tmp = ((unsigned long)mnt / L1_CACHE_BYTES);
264 tmp += ((unsigned long)dentry / L1_CACHE_BYTES);
265 tmp = tmp + (tmp >> m_hash_shift);
266 return &mount_hashtable[tmp & m_hash_mask];
267 }
268
mp_hash(struct dentry * dentry)269 static inline struct hlist_head *mp_hash(struct dentry *dentry)
270 {
271 unsigned long tmp = ((unsigned long)dentry / L1_CACHE_BYTES);
272 tmp = tmp + (tmp >> mp_hash_shift);
273 return &mountpoint_hashtable[tmp & mp_hash_mask];
274 }
275
mnt_alloc_id(struct mount * mnt)276 static int mnt_alloc_id(struct mount *mnt)
277 {
278 int res;
279
280 xa_lock(&mnt_id_xa);
281 res = __xa_alloc(&mnt_id_xa, &mnt->mnt_id, mnt, XA_LIMIT(1, INT_MAX), GFP_KERNEL);
282 if (!res)
283 mnt->mnt_id_unique = ++mnt_id_ctr;
284 xa_unlock(&mnt_id_xa);
285 return res;
286 }
287
mnt_free_id(struct mount * mnt)288 static void mnt_free_id(struct mount *mnt)
289 {
290 xa_erase(&mnt_id_xa, mnt->mnt_id);
291 }
292
293 /*
294 * Allocate a new peer group ID
295 */
mnt_alloc_group_id(struct mount * mnt)296 static int mnt_alloc_group_id(struct mount *mnt)
297 {
298 int res = ida_alloc_min(&mnt_group_ida, 1, GFP_KERNEL);
299
300 if (res < 0)
301 return res;
302 mnt->mnt_group_id = res;
303 return 0;
304 }
305
306 /*
307 * Release a peer group ID
308 */
mnt_release_group_id(struct mount * mnt)309 void mnt_release_group_id(struct mount *mnt)
310 {
311 ida_free(&mnt_group_ida, mnt->mnt_group_id);
312 mnt->mnt_group_id = 0;
313 }
314
315 /*
316 * vfsmount lock must be held for read
317 */
mnt_add_count(struct mount * mnt,int n)318 static inline void mnt_add_count(struct mount *mnt, int n)
319 {
320 #ifdef CONFIG_SMP
321 this_cpu_add(mnt->mnt_pcp->mnt_count, n);
322 #else
323 preempt_disable();
324 mnt->mnt_count += n;
325 preempt_enable();
326 #endif
327 }
328
329 /*
330 * vfsmount lock must be held for write
331 */
mnt_get_count(struct mount * mnt)332 int mnt_get_count(struct mount *mnt)
333 {
334 #ifdef CONFIG_SMP
335 int count = 0;
336 int cpu;
337
338 for_each_possible_cpu(cpu) {
339 count += per_cpu_ptr(mnt->mnt_pcp, cpu)->mnt_count;
340 }
341
342 return count;
343 #else
344 return mnt->mnt_count;
345 #endif
346 }
347
alloc_vfsmnt(const char * name)348 static struct mount *alloc_vfsmnt(const char *name)
349 {
350 struct mount *mnt = kmem_cache_zalloc(mnt_cache, GFP_KERNEL);
351 if (mnt) {
352 int err;
353
354 err = mnt_alloc_id(mnt);
355 if (err)
356 goto out_free_cache;
357
358 if (name)
359 mnt->mnt_devname = kstrdup_const(name,
360 GFP_KERNEL_ACCOUNT);
361 else
362 mnt->mnt_devname = "none";
363 if (!mnt->mnt_devname)
364 goto out_free_id;
365
366 #ifdef CONFIG_SMP
367 mnt->mnt_pcp = alloc_percpu(struct mnt_pcp);
368 if (!mnt->mnt_pcp)
369 goto out_free_devname;
370
371 this_cpu_add(mnt->mnt_pcp->mnt_count, 1);
372 #else
373 mnt->mnt_count = 1;
374 mnt->mnt_writers = 0;
375 #endif
376
377 INIT_HLIST_NODE(&mnt->mnt_hash);
378 INIT_LIST_HEAD(&mnt->mnt_child);
379 INIT_LIST_HEAD(&mnt->mnt_mounts);
380 INIT_LIST_HEAD(&mnt->mnt_list);
381 INIT_LIST_HEAD(&mnt->mnt_expire);
382 INIT_LIST_HEAD(&mnt->mnt_share);
383 INIT_LIST_HEAD(&mnt->mnt_slave_list);
384 INIT_LIST_HEAD(&mnt->mnt_slave);
385 INIT_HLIST_NODE(&mnt->mnt_mp_list);
386 INIT_LIST_HEAD(&mnt->mnt_umounting);
387 INIT_HLIST_HEAD(&mnt->mnt_stuck_children);
388 RB_CLEAR_NODE(&mnt->mnt_node);
389 mnt->mnt.mnt_idmap = &nop_mnt_idmap;
390 }
391 return mnt;
392
393 #ifdef CONFIG_SMP
394 out_free_devname:
395 kfree_const(mnt->mnt_devname);
396 #endif
397 out_free_id:
398 mnt_free_id(mnt);
399 out_free_cache:
400 kmem_cache_free(mnt_cache, mnt);
401 return NULL;
402 }
403
404 /*
405 * Most r/o checks on a fs are for operations that take
406 * discrete amounts of time, like a write() or unlink().
407 * We must keep track of when those operations start
408 * (for permission checks) and when they end, so that
409 * we can determine when writes are able to occur to
410 * a filesystem.
411 */
412 /*
413 * __mnt_is_readonly: check whether a mount is read-only
414 * @mnt: the mount to check for its write status
415 *
416 * This shouldn't be used directly ouside of the VFS.
417 * It does not guarantee that the filesystem will stay
418 * r/w, just that it is right *now*. This can not and
419 * should not be used in place of IS_RDONLY(inode).
420 * mnt_want/drop_write() will _keep_ the filesystem
421 * r/w.
422 */
__mnt_is_readonly(struct vfsmount * mnt)423 bool __mnt_is_readonly(struct vfsmount *mnt)
424 {
425 return (mnt->mnt_flags & MNT_READONLY) || sb_rdonly(mnt->mnt_sb);
426 }
427 EXPORT_SYMBOL_GPL(__mnt_is_readonly);
428
mnt_inc_writers(struct mount * mnt)429 static inline void mnt_inc_writers(struct mount *mnt)
430 {
431 #ifdef CONFIG_SMP
432 this_cpu_inc(mnt->mnt_pcp->mnt_writers);
433 #else
434 mnt->mnt_writers++;
435 #endif
436 }
437
mnt_dec_writers(struct mount * mnt)438 static inline void mnt_dec_writers(struct mount *mnt)
439 {
440 #ifdef CONFIG_SMP
441 this_cpu_dec(mnt->mnt_pcp->mnt_writers);
442 #else
443 mnt->mnt_writers--;
444 #endif
445 }
446
mnt_get_writers(struct mount * mnt)447 static unsigned int mnt_get_writers(struct mount *mnt)
448 {
449 #ifdef CONFIG_SMP
450 unsigned int count = 0;
451 int cpu;
452
453 for_each_possible_cpu(cpu) {
454 count += per_cpu_ptr(mnt->mnt_pcp, cpu)->mnt_writers;
455 }
456
457 return count;
458 #else
459 return mnt->mnt_writers;
460 #endif
461 }
462
mnt_is_readonly(struct vfsmount * mnt)463 static int mnt_is_readonly(struct vfsmount *mnt)
464 {
465 if (READ_ONCE(mnt->mnt_sb->s_readonly_remount))
466 return 1;
467 /*
468 * The barrier pairs with the barrier in sb_start_ro_state_change()
469 * making sure if we don't see s_readonly_remount set yet, we also will
470 * not see any superblock / mount flag changes done by remount.
471 * It also pairs with the barrier in sb_end_ro_state_change()
472 * assuring that if we see s_readonly_remount already cleared, we will
473 * see the values of superblock / mount flags updated by remount.
474 */
475 smp_rmb();
476 return __mnt_is_readonly(mnt);
477 }
478
479 /*
480 * Most r/o & frozen checks on a fs are for operations that take discrete
481 * amounts of time, like a write() or unlink(). We must keep track of when
482 * those operations start (for permission checks) and when they end, so that we
483 * can determine when writes are able to occur to a filesystem.
484 */
485 /**
486 * mnt_get_write_access - get write access to a mount without freeze protection
487 * @m: the mount on which to take a write
488 *
489 * This tells the low-level filesystem that a write is about to be performed to
490 * it, and makes sure that writes are allowed (mnt it read-write) before
491 * returning success. This operation does not protect against filesystem being
492 * frozen. When the write operation is finished, mnt_put_write_access() must be
493 * called. This is effectively a refcount.
494 */
mnt_get_write_access(struct vfsmount * m)495 int mnt_get_write_access(struct vfsmount *m)
496 {
497 struct mount *mnt = real_mount(m);
498 int ret = 0;
499
500 preempt_disable();
501 mnt_inc_writers(mnt);
502 /*
503 * The store to mnt_inc_writers must be visible before we pass
504 * MNT_WRITE_HOLD loop below, so that the slowpath can see our
505 * incremented count after it has set MNT_WRITE_HOLD.
506 */
507 smp_mb();
508 might_lock(&mount_lock.lock);
509 while (READ_ONCE(mnt->mnt.mnt_flags) & MNT_WRITE_HOLD) {
510 if (!IS_ENABLED(CONFIG_PREEMPT_RT)) {
511 cpu_relax();
512 } else {
513 /*
514 * This prevents priority inversion, if the task
515 * setting MNT_WRITE_HOLD got preempted on a remote
516 * CPU, and it prevents life lock if the task setting
517 * MNT_WRITE_HOLD has a lower priority and is bound to
518 * the same CPU as the task that is spinning here.
519 */
520 preempt_enable();
521 lock_mount_hash();
522 unlock_mount_hash();
523 preempt_disable();
524 }
525 }
526 /*
527 * The barrier pairs with the barrier sb_start_ro_state_change() making
528 * sure that if we see MNT_WRITE_HOLD cleared, we will also see
529 * s_readonly_remount set (or even SB_RDONLY / MNT_READONLY flags) in
530 * mnt_is_readonly() and bail in case we are racing with remount
531 * read-only.
532 */
533 smp_rmb();
534 if (mnt_is_readonly(m)) {
535 mnt_dec_writers(mnt);
536 ret = -EROFS;
537 }
538 preempt_enable();
539
540 return ret;
541 }
542 EXPORT_SYMBOL_GPL(mnt_get_write_access);
543
544 /**
545 * mnt_want_write - get write access to a mount
546 * @m: the mount on which to take a write
547 *
548 * This tells the low-level filesystem that a write is about to be performed to
549 * it, and makes sure that writes are allowed (mount is read-write, filesystem
550 * is not frozen) before returning success. When the write operation is
551 * finished, mnt_drop_write() must be called. This is effectively a refcount.
552 */
mnt_want_write(struct vfsmount * m)553 int mnt_want_write(struct vfsmount *m)
554 {
555 int ret;
556
557 sb_start_write(m->mnt_sb);
558 ret = mnt_get_write_access(m);
559 if (ret)
560 sb_end_write(m->mnt_sb);
561 return ret;
562 }
563 EXPORT_SYMBOL_GPL(mnt_want_write);
564
565 /**
566 * mnt_get_write_access_file - get write access to a file's mount
567 * @file: the file who's mount on which to take a write
568 *
569 * This is like mnt_get_write_access, but if @file is already open for write it
570 * skips incrementing mnt_writers (since the open file already has a reference)
571 * and instead only does the check for emergency r/o remounts. This must be
572 * paired with mnt_put_write_access_file.
573 */
mnt_get_write_access_file(struct file * file)574 int mnt_get_write_access_file(struct file *file)
575 {
576 if (file->f_mode & FMODE_WRITER) {
577 /*
578 * Superblock may have become readonly while there are still
579 * writable fd's, e.g. due to a fs error with errors=remount-ro
580 */
581 if (__mnt_is_readonly(file->f_path.mnt))
582 return -EROFS;
583 return 0;
584 }
585 return mnt_get_write_access(file->f_path.mnt);
586 }
587
588 /**
589 * mnt_want_write_file - get write access to a file's mount
590 * @file: the file who's mount on which to take a write
591 *
592 * This is like mnt_want_write, but if the file is already open for writing it
593 * skips incrementing mnt_writers (since the open file already has a reference)
594 * and instead only does the freeze protection and the check for emergency r/o
595 * remounts. This must be paired with mnt_drop_write_file.
596 */
mnt_want_write_file(struct file * file)597 int mnt_want_write_file(struct file *file)
598 {
599 int ret;
600
601 sb_start_write(file_inode(file)->i_sb);
602 ret = mnt_get_write_access_file(file);
603 if (ret)
604 sb_end_write(file_inode(file)->i_sb);
605 return ret;
606 }
607 EXPORT_SYMBOL_GPL(mnt_want_write_file);
608
609 /**
610 * mnt_put_write_access - give up write access to a mount
611 * @mnt: the mount on which to give up write access
612 *
613 * Tells the low-level filesystem that we are done
614 * performing writes to it. Must be matched with
615 * mnt_get_write_access() call above.
616 */
mnt_put_write_access(struct vfsmount * mnt)617 void mnt_put_write_access(struct vfsmount *mnt)
618 {
619 preempt_disable();
620 mnt_dec_writers(real_mount(mnt));
621 preempt_enable();
622 }
623 EXPORT_SYMBOL_GPL(mnt_put_write_access);
624
625 /**
626 * mnt_drop_write - give up write access to a mount
627 * @mnt: the mount on which to give up write access
628 *
629 * Tells the low-level filesystem that we are done performing writes to it and
630 * also allows filesystem to be frozen again. Must be matched with
631 * mnt_want_write() call above.
632 */
mnt_drop_write(struct vfsmount * mnt)633 void mnt_drop_write(struct vfsmount *mnt)
634 {
635 mnt_put_write_access(mnt);
636 sb_end_write(mnt->mnt_sb);
637 }
638 EXPORT_SYMBOL_GPL(mnt_drop_write);
639
mnt_put_write_access_file(struct file * file)640 void mnt_put_write_access_file(struct file *file)
641 {
642 if (!(file->f_mode & FMODE_WRITER))
643 mnt_put_write_access(file->f_path.mnt);
644 }
645
mnt_drop_write_file(struct file * file)646 void mnt_drop_write_file(struct file *file)
647 {
648 mnt_put_write_access_file(file);
649 sb_end_write(file_inode(file)->i_sb);
650 }
651 EXPORT_SYMBOL(mnt_drop_write_file);
652
653 /**
654 * mnt_hold_writers - prevent write access to the given mount
655 * @mnt: mnt to prevent write access to
656 *
657 * Prevents write access to @mnt if there are no active writers for @mnt.
658 * This function needs to be called and return successfully before changing
659 * properties of @mnt that need to remain stable for callers with write access
660 * to @mnt.
661 *
662 * After this functions has been called successfully callers must pair it with
663 * a call to mnt_unhold_writers() in order to stop preventing write access to
664 * @mnt.
665 *
666 * Context: This function expects lock_mount_hash() to be held serializing
667 * setting MNT_WRITE_HOLD.
668 * Return: On success 0 is returned.
669 * On error, -EBUSY is returned.
670 */
mnt_hold_writers(struct mount * mnt)671 static inline int mnt_hold_writers(struct mount *mnt)
672 {
673 mnt->mnt.mnt_flags |= MNT_WRITE_HOLD;
674 /*
675 * After storing MNT_WRITE_HOLD, we'll read the counters. This store
676 * should be visible before we do.
677 */
678 smp_mb();
679
680 /*
681 * With writers on hold, if this value is zero, then there are
682 * definitely no active writers (although held writers may subsequently
683 * increment the count, they'll have to wait, and decrement it after
684 * seeing MNT_READONLY).
685 *
686 * It is OK to have counter incremented on one CPU and decremented on
687 * another: the sum will add up correctly. The danger would be when we
688 * sum up each counter, if we read a counter before it is incremented,
689 * but then read another CPU's count which it has been subsequently
690 * decremented from -- we would see more decrements than we should.
691 * MNT_WRITE_HOLD protects against this scenario, because
692 * mnt_want_write first increments count, then smp_mb, then spins on
693 * MNT_WRITE_HOLD, so it can't be decremented by another CPU while
694 * we're counting up here.
695 */
696 if (mnt_get_writers(mnt) > 0)
697 return -EBUSY;
698
699 return 0;
700 }
701
702 /**
703 * mnt_unhold_writers - stop preventing write access to the given mount
704 * @mnt: mnt to stop preventing write access to
705 *
706 * Stop preventing write access to @mnt allowing callers to gain write access
707 * to @mnt again.
708 *
709 * This function can only be called after a successful call to
710 * mnt_hold_writers().
711 *
712 * Context: This function expects lock_mount_hash() to be held.
713 */
mnt_unhold_writers(struct mount * mnt)714 static inline void mnt_unhold_writers(struct mount *mnt)
715 {
716 /*
717 * MNT_READONLY must become visible before ~MNT_WRITE_HOLD, so writers
718 * that become unheld will see MNT_READONLY.
719 */
720 smp_wmb();
721 mnt->mnt.mnt_flags &= ~MNT_WRITE_HOLD;
722 }
723
mnt_make_readonly(struct mount * mnt)724 static int mnt_make_readonly(struct mount *mnt)
725 {
726 int ret;
727
728 ret = mnt_hold_writers(mnt);
729 if (!ret)
730 mnt->mnt.mnt_flags |= MNT_READONLY;
731 mnt_unhold_writers(mnt);
732 return ret;
733 }
734
sb_prepare_remount_readonly(struct super_block * sb)735 int sb_prepare_remount_readonly(struct super_block *sb)
736 {
737 struct mount *mnt;
738 int err = 0;
739
740 /* Racy optimization. Recheck the counter under MNT_WRITE_HOLD */
741 if (atomic_long_read(&sb->s_remove_count))
742 return -EBUSY;
743
744 lock_mount_hash();
745 list_for_each_entry(mnt, &sb->s_mounts, mnt_instance) {
746 if (!(mnt->mnt.mnt_flags & MNT_READONLY)) {
747 err = mnt_hold_writers(mnt);
748 if (err)
749 break;
750 }
751 }
752 if (!err && atomic_long_read(&sb->s_remove_count))
753 err = -EBUSY;
754
755 if (!err)
756 sb_start_ro_state_change(sb);
757 list_for_each_entry(mnt, &sb->s_mounts, mnt_instance) {
758 if (mnt->mnt.mnt_flags & MNT_WRITE_HOLD)
759 mnt->mnt.mnt_flags &= ~MNT_WRITE_HOLD;
760 }
761 unlock_mount_hash();
762
763 return err;
764 }
765
free_vfsmnt(struct mount * mnt)766 static void free_vfsmnt(struct mount *mnt)
767 {
768 mnt_idmap_put(mnt_idmap(&mnt->mnt));
769 kfree_const(mnt->mnt_devname);
770 #ifdef CONFIG_SMP
771 free_percpu(mnt->mnt_pcp);
772 #endif
773 kmem_cache_free(mnt_cache, mnt);
774 }
775
delayed_free_vfsmnt(struct rcu_head * head)776 static void delayed_free_vfsmnt(struct rcu_head *head)
777 {
778 free_vfsmnt(container_of(head, struct mount, mnt_rcu));
779 }
780
781 /* call under rcu_read_lock */
__legitimize_mnt(struct vfsmount * bastard,unsigned seq)782 int __legitimize_mnt(struct vfsmount *bastard, unsigned seq)
783 {
784 struct mount *mnt;
785 if (read_seqretry(&mount_lock, seq))
786 return 1;
787 if (bastard == NULL)
788 return 0;
789 mnt = real_mount(bastard);
790 mnt_add_count(mnt, 1);
791 smp_mb(); // see mntput_no_expire() and do_umount()
792 if (likely(!read_seqretry(&mount_lock, seq)))
793 return 0;
794 lock_mount_hash();
795 if (unlikely(bastard->mnt_flags & (MNT_SYNC_UMOUNT | MNT_DOOMED))) {
796 mnt_add_count(mnt, -1);
797 unlock_mount_hash();
798 return 1;
799 }
800 unlock_mount_hash();
801 /* caller will mntput() */
802 return -1;
803 }
804
805 /* call under rcu_read_lock */
legitimize_mnt(struct vfsmount * bastard,unsigned seq)806 static bool legitimize_mnt(struct vfsmount *bastard, unsigned seq)
807 {
808 int res = __legitimize_mnt(bastard, seq);
809 if (likely(!res))
810 return true;
811 if (unlikely(res < 0)) {
812 rcu_read_unlock();
813 mntput(bastard);
814 rcu_read_lock();
815 }
816 return false;
817 }
818
819 /**
820 * __lookup_mnt - find first child mount
821 * @mnt: parent mount
822 * @dentry: mountpoint
823 *
824 * If @mnt has a child mount @c mounted @dentry find and return it.
825 *
826 * Note that the child mount @c need not be unique. There are cases
827 * where shadow mounts are created. For example, during mount
828 * propagation when a source mount @mnt whose root got overmounted by a
829 * mount @o after path lookup but before @namespace_sem could be
830 * acquired gets copied and propagated. So @mnt gets copied including
831 * @o. When @mnt is propagated to a destination mount @d that already
832 * has another mount @n mounted at the same mountpoint then the source
833 * mount @mnt will be tucked beneath @n, i.e., @n will be mounted on
834 * @mnt and @mnt mounted on @d. Now both @n and @o are mounted at @mnt
835 * on @dentry.
836 *
837 * Return: The first child of @mnt mounted @dentry or NULL.
838 */
__lookup_mnt(struct vfsmount * mnt,struct dentry * dentry)839 struct mount *__lookup_mnt(struct vfsmount *mnt, struct dentry *dentry)
840 {
841 struct hlist_head *head = m_hash(mnt, dentry);
842 struct mount *p;
843
844 hlist_for_each_entry_rcu(p, head, mnt_hash)
845 if (&p->mnt_parent->mnt == mnt && p->mnt_mountpoint == dentry)
846 return p;
847 return NULL;
848 }
849
850 /*
851 * lookup_mnt - Return the first child mount mounted at path
852 *
853 * "First" means first mounted chronologically. If you create the
854 * following mounts:
855 *
856 * mount /dev/sda1 /mnt
857 * mount /dev/sda2 /mnt
858 * mount /dev/sda3 /mnt
859 *
860 * Then lookup_mnt() on the base /mnt dentry in the root mount will
861 * return successively the root dentry and vfsmount of /dev/sda1, then
862 * /dev/sda2, then /dev/sda3, then NULL.
863 *
864 * lookup_mnt takes a reference to the found vfsmount.
865 */
lookup_mnt(const struct path * path)866 struct vfsmount *lookup_mnt(const struct path *path)
867 {
868 struct mount *child_mnt;
869 struct vfsmount *m;
870 unsigned seq;
871
872 rcu_read_lock();
873 do {
874 seq = read_seqbegin(&mount_lock);
875 child_mnt = __lookup_mnt(path->mnt, path->dentry);
876 m = child_mnt ? &child_mnt->mnt : NULL;
877 } while (!legitimize_mnt(m, seq));
878 rcu_read_unlock();
879 return m;
880 }
881
882 /*
883 * __is_local_mountpoint - Test to see if dentry is a mountpoint in the
884 * current mount namespace.
885 *
886 * The common case is dentries are not mountpoints at all and that
887 * test is handled inline. For the slow case when we are actually
888 * dealing with a mountpoint of some kind, walk through all of the
889 * mounts in the current mount namespace and test to see if the dentry
890 * is a mountpoint.
891 *
892 * The mount_hashtable is not usable in the context because we
893 * need to identify all mounts that may be in the current mount
894 * namespace not just a mount that happens to have some specified
895 * parent mount.
896 */
__is_local_mountpoint(struct dentry * dentry)897 bool __is_local_mountpoint(struct dentry *dentry)
898 {
899 struct mnt_namespace *ns = current->nsproxy->mnt_ns;
900 struct mount *mnt, *n;
901 bool is_covered = false;
902
903 down_read(&namespace_sem);
904 rbtree_postorder_for_each_entry_safe(mnt, n, &ns->mounts, mnt_node) {
905 is_covered = (mnt->mnt_mountpoint == dentry);
906 if (is_covered)
907 break;
908 }
909 up_read(&namespace_sem);
910
911 return is_covered;
912 }
913
lookup_mountpoint(struct dentry * dentry)914 static struct mountpoint *lookup_mountpoint(struct dentry *dentry)
915 {
916 struct hlist_head *chain = mp_hash(dentry);
917 struct mountpoint *mp;
918
919 hlist_for_each_entry(mp, chain, m_hash) {
920 if (mp->m_dentry == dentry) {
921 mp->m_count++;
922 return mp;
923 }
924 }
925 return NULL;
926 }
927
get_mountpoint(struct dentry * dentry)928 static struct mountpoint *get_mountpoint(struct dentry *dentry)
929 {
930 struct mountpoint *mp, *new = NULL;
931 int ret;
932
933 if (d_mountpoint(dentry)) {
934 /* might be worth a WARN_ON() */
935 if (d_unlinked(dentry))
936 return ERR_PTR(-ENOENT);
937 mountpoint:
938 read_seqlock_excl(&mount_lock);
939 mp = lookup_mountpoint(dentry);
940 read_sequnlock_excl(&mount_lock);
941 if (mp)
942 goto done;
943 }
944
945 if (!new)
946 new = kmalloc(sizeof(struct mountpoint), GFP_KERNEL);
947 if (!new)
948 return ERR_PTR(-ENOMEM);
949
950
951 /* Exactly one processes may set d_mounted */
952 ret = d_set_mounted(dentry);
953
954 /* Someone else set d_mounted? */
955 if (ret == -EBUSY)
956 goto mountpoint;
957
958 /* The dentry is not available as a mountpoint? */
959 mp = ERR_PTR(ret);
960 if (ret)
961 goto done;
962
963 /* Add the new mountpoint to the hash table */
964 read_seqlock_excl(&mount_lock);
965 new->m_dentry = dget(dentry);
966 new->m_count = 1;
967 hlist_add_head(&new->m_hash, mp_hash(dentry));
968 INIT_HLIST_HEAD(&new->m_list);
969 read_sequnlock_excl(&mount_lock);
970
971 mp = new;
972 new = NULL;
973 done:
974 kfree(new);
975 return mp;
976 }
977
978 /*
979 * vfsmount lock must be held. Additionally, the caller is responsible
980 * for serializing calls for given disposal list.
981 */
__put_mountpoint(struct mountpoint * mp,struct list_head * list)982 static void __put_mountpoint(struct mountpoint *mp, struct list_head *list)
983 {
984 if (!--mp->m_count) {
985 struct dentry *dentry = mp->m_dentry;
986 BUG_ON(!hlist_empty(&mp->m_list));
987 spin_lock(&dentry->d_lock);
988 dentry->d_flags &= ~DCACHE_MOUNTED;
989 spin_unlock(&dentry->d_lock);
990 dput_to_list(dentry, list);
991 hlist_del(&mp->m_hash);
992 kfree(mp);
993 }
994 }
995
996 /* called with namespace_lock and vfsmount lock */
put_mountpoint(struct mountpoint * mp)997 static void put_mountpoint(struct mountpoint *mp)
998 {
999 __put_mountpoint(mp, &ex_mountpoints);
1000 }
1001
check_mnt(struct mount * mnt)1002 static inline int check_mnt(struct mount *mnt)
1003 {
1004 return mnt->mnt_ns == current->nsproxy->mnt_ns;
1005 }
1006
check_anonymous_mnt(struct mount * mnt)1007 static inline bool check_anonymous_mnt(struct mount *mnt)
1008 {
1009 u64 seq;
1010
1011 if (!is_anon_ns(mnt->mnt_ns))
1012 return false;
1013
1014 seq = mnt->mnt_ns->seq_origin;
1015 return !seq || (seq == current->nsproxy->mnt_ns->seq);
1016 }
1017
1018 /*
1019 * vfsmount lock must be held for write
1020 */
touch_mnt_namespace(struct mnt_namespace * ns)1021 static void touch_mnt_namespace(struct mnt_namespace *ns)
1022 {
1023 if (ns) {
1024 ns->event = ++event;
1025 wake_up_interruptible(&ns->poll);
1026 }
1027 }
1028
1029 /*
1030 * vfsmount lock must be held for write
1031 */
__touch_mnt_namespace(struct mnt_namespace * ns)1032 static void __touch_mnt_namespace(struct mnt_namespace *ns)
1033 {
1034 if (ns && ns->event != event) {
1035 ns->event = event;
1036 wake_up_interruptible(&ns->poll);
1037 }
1038 }
1039
1040 /*
1041 * vfsmount lock must be held for write
1042 */
unhash_mnt(struct mount * mnt)1043 static struct mountpoint *unhash_mnt(struct mount *mnt)
1044 {
1045 struct mountpoint *mp;
1046 mnt->mnt_parent = mnt;
1047 mnt->mnt_mountpoint = mnt->mnt.mnt_root;
1048 list_del_init(&mnt->mnt_child);
1049 hlist_del_init_rcu(&mnt->mnt_hash);
1050 hlist_del_init(&mnt->mnt_mp_list);
1051 mp = mnt->mnt_mp;
1052 mnt->mnt_mp = NULL;
1053 return mp;
1054 }
1055
1056 /*
1057 * vfsmount lock must be held for write
1058 */
umount_mnt(struct mount * mnt)1059 static void umount_mnt(struct mount *mnt)
1060 {
1061 put_mountpoint(unhash_mnt(mnt));
1062 }
1063
1064 /*
1065 * vfsmount lock must be held for write
1066 */
mnt_set_mountpoint(struct mount * mnt,struct mountpoint * mp,struct mount * child_mnt)1067 void mnt_set_mountpoint(struct mount *mnt,
1068 struct mountpoint *mp,
1069 struct mount *child_mnt)
1070 {
1071 mp->m_count++;
1072 mnt_add_count(mnt, 1); /* essentially, that's mntget */
1073 child_mnt->mnt_mountpoint = mp->m_dentry;
1074 child_mnt->mnt_parent = mnt;
1075 child_mnt->mnt_mp = mp;
1076 hlist_add_head(&child_mnt->mnt_mp_list, &mp->m_list);
1077 }
1078
1079 /**
1080 * mnt_set_mountpoint_beneath - mount a mount beneath another one
1081 *
1082 * @new_parent: the source mount
1083 * @top_mnt: the mount beneath which @new_parent is mounted
1084 * @new_mp: the new mountpoint of @top_mnt on @new_parent
1085 *
1086 * Remove @top_mnt from its current mountpoint @top_mnt->mnt_mp and
1087 * parent @top_mnt->mnt_parent and mount it on top of @new_parent at
1088 * @new_mp. And mount @new_parent on the old parent and old
1089 * mountpoint of @top_mnt.
1090 *
1091 * Context: This function expects namespace_lock() and lock_mount_hash()
1092 * to have been acquired in that order.
1093 */
mnt_set_mountpoint_beneath(struct mount * new_parent,struct mount * top_mnt,struct mountpoint * new_mp)1094 static void mnt_set_mountpoint_beneath(struct mount *new_parent,
1095 struct mount *top_mnt,
1096 struct mountpoint *new_mp)
1097 {
1098 struct mount *old_top_parent = top_mnt->mnt_parent;
1099 struct mountpoint *old_top_mp = top_mnt->mnt_mp;
1100
1101 mnt_set_mountpoint(old_top_parent, old_top_mp, new_parent);
1102 mnt_change_mountpoint(new_parent, new_mp, top_mnt);
1103 }
1104
1105
__attach_mnt(struct mount * mnt,struct mount * parent)1106 static void __attach_mnt(struct mount *mnt, struct mount *parent)
1107 {
1108 hlist_add_head_rcu(&mnt->mnt_hash,
1109 m_hash(&parent->mnt, mnt->mnt_mountpoint));
1110 list_add_tail(&mnt->mnt_child, &parent->mnt_mounts);
1111 }
1112
1113 /**
1114 * attach_mnt - mount a mount, attach to @mount_hashtable and parent's
1115 * list of child mounts
1116 * @parent: the parent
1117 * @mnt: the new mount
1118 * @mp: the new mountpoint
1119 * @beneath: whether to mount @mnt beneath or on top of @parent
1120 *
1121 * If @beneath is false, mount @mnt at @mp on @parent. Then attach @mnt
1122 * to @parent's child mount list and to @mount_hashtable.
1123 *
1124 * If @beneath is true, remove @mnt from its current parent and
1125 * mountpoint and mount it on @mp on @parent, and mount @parent on the
1126 * old parent and old mountpoint of @mnt. Finally, attach @parent to
1127 * @mnt_hashtable and @parent->mnt_parent->mnt_mounts.
1128 *
1129 * Note, when __attach_mnt() is called @mnt->mnt_parent already points
1130 * to the correct parent.
1131 *
1132 * Context: This function expects namespace_lock() and lock_mount_hash()
1133 * to have been acquired in that order.
1134 */
attach_mnt(struct mount * mnt,struct mount * parent,struct mountpoint * mp,bool beneath)1135 static void attach_mnt(struct mount *mnt, struct mount *parent,
1136 struct mountpoint *mp, bool beneath)
1137 {
1138 if (beneath)
1139 mnt_set_mountpoint_beneath(mnt, parent, mp);
1140 else
1141 mnt_set_mountpoint(parent, mp, mnt);
1142 /*
1143 * Note, @mnt->mnt_parent has to be used. If @mnt was mounted
1144 * beneath @parent then @mnt will need to be attached to
1145 * @parent's old parent, not @parent. IOW, @mnt->mnt_parent
1146 * isn't the same mount as @parent.
1147 */
1148 __attach_mnt(mnt, mnt->mnt_parent);
1149 }
1150
mnt_change_mountpoint(struct mount * parent,struct mountpoint * mp,struct mount * mnt)1151 void mnt_change_mountpoint(struct mount *parent, struct mountpoint *mp, struct mount *mnt)
1152 {
1153 struct mountpoint *old_mp = mnt->mnt_mp;
1154 struct mount *old_parent = mnt->mnt_parent;
1155
1156 list_del_init(&mnt->mnt_child);
1157 hlist_del_init(&mnt->mnt_mp_list);
1158 hlist_del_init_rcu(&mnt->mnt_hash);
1159
1160 attach_mnt(mnt, parent, mp, false);
1161
1162 put_mountpoint(old_mp);
1163 mnt_add_count(old_parent, -1);
1164 }
1165
node_to_mount(struct rb_node * node)1166 static inline struct mount *node_to_mount(struct rb_node *node)
1167 {
1168 return node ? rb_entry(node, struct mount, mnt_node) : NULL;
1169 }
1170
mnt_add_to_ns(struct mnt_namespace * ns,struct mount * mnt)1171 static void mnt_add_to_ns(struct mnt_namespace *ns, struct mount *mnt)
1172 {
1173 struct rb_node **link = &ns->mounts.rb_node;
1174 struct rb_node *parent = NULL;
1175 bool mnt_first_node = true, mnt_last_node = true;
1176
1177 WARN_ON(mnt_ns_attached(mnt));
1178 mnt->mnt_ns = ns;
1179 while (*link) {
1180 parent = *link;
1181 if (mnt->mnt_id_unique < node_to_mount(parent)->mnt_id_unique) {
1182 link = &parent->rb_left;
1183 mnt_last_node = false;
1184 } else {
1185 link = &parent->rb_right;
1186 mnt_first_node = false;
1187 }
1188 }
1189
1190 if (mnt_last_node)
1191 ns->mnt_last_node = &mnt->mnt_node;
1192 if (mnt_first_node)
1193 ns->mnt_first_node = &mnt->mnt_node;
1194 rb_link_node(&mnt->mnt_node, parent, link);
1195 rb_insert_color(&mnt->mnt_node, &ns->mounts);
1196
1197 mnt_notify_add(mnt);
1198 }
1199
1200 /*
1201 * vfsmount lock must be held for write
1202 */
commit_tree(struct mount * mnt)1203 static void commit_tree(struct mount *mnt)
1204 {
1205 struct mount *parent = mnt->mnt_parent;
1206 struct mount *m;
1207 LIST_HEAD(head);
1208 struct mnt_namespace *n = parent->mnt_ns;
1209
1210 BUG_ON(parent == mnt);
1211
1212 list_add_tail(&head, &mnt->mnt_list);
1213 while (!list_empty(&head)) {
1214 m = list_first_entry(&head, typeof(*m), mnt_list);
1215 list_del(&m->mnt_list);
1216
1217 mnt_add_to_ns(n, m);
1218 }
1219 n->nr_mounts += n->pending_mounts;
1220 n->pending_mounts = 0;
1221
1222 __attach_mnt(mnt, parent);
1223 touch_mnt_namespace(n);
1224 }
1225
next_mnt(struct mount * p,struct mount * root)1226 static struct mount *next_mnt(struct mount *p, struct mount *root)
1227 {
1228 struct list_head *next = p->mnt_mounts.next;
1229 if (next == &p->mnt_mounts) {
1230 while (1) {
1231 if (p == root)
1232 return NULL;
1233 next = p->mnt_child.next;
1234 if (next != &p->mnt_parent->mnt_mounts)
1235 break;
1236 p = p->mnt_parent;
1237 }
1238 }
1239 return list_entry(next, struct mount, mnt_child);
1240 }
1241
skip_mnt_tree(struct mount * p)1242 static struct mount *skip_mnt_tree(struct mount *p)
1243 {
1244 struct list_head *prev = p->mnt_mounts.prev;
1245 while (prev != &p->mnt_mounts) {
1246 p = list_entry(prev, struct mount, mnt_child);
1247 prev = p->mnt_mounts.prev;
1248 }
1249 return p;
1250 }
1251
1252 /**
1253 * vfs_create_mount - Create a mount for a configured superblock
1254 * @fc: The configuration context with the superblock attached
1255 *
1256 * Create a mount to an already configured superblock. If necessary, the
1257 * caller should invoke vfs_get_tree() before calling this.
1258 *
1259 * Note that this does not attach the mount to anything.
1260 */
vfs_create_mount(struct fs_context * fc)1261 struct vfsmount *vfs_create_mount(struct fs_context *fc)
1262 {
1263 struct mount *mnt;
1264
1265 if (!fc->root)
1266 return ERR_PTR(-EINVAL);
1267
1268 mnt = alloc_vfsmnt(fc->source);
1269 if (!mnt)
1270 return ERR_PTR(-ENOMEM);
1271
1272 if (fc->sb_flags & SB_KERNMOUNT)
1273 mnt->mnt.mnt_flags = MNT_INTERNAL;
1274
1275 atomic_inc(&fc->root->d_sb->s_active);
1276 mnt->mnt.mnt_sb = fc->root->d_sb;
1277 mnt->mnt.mnt_root = dget(fc->root);
1278 mnt->mnt_mountpoint = mnt->mnt.mnt_root;
1279 mnt->mnt_parent = mnt;
1280
1281 lock_mount_hash();
1282 list_add_tail(&mnt->mnt_instance, &mnt->mnt.mnt_sb->s_mounts);
1283 unlock_mount_hash();
1284 return &mnt->mnt;
1285 }
1286 EXPORT_SYMBOL(vfs_create_mount);
1287
fc_mount(struct fs_context * fc)1288 struct vfsmount *fc_mount(struct fs_context *fc)
1289 {
1290 int err = vfs_get_tree(fc);
1291 if (!err) {
1292 up_write(&fc->root->d_sb->s_umount);
1293 return vfs_create_mount(fc);
1294 }
1295 return ERR_PTR(err);
1296 }
1297 EXPORT_SYMBOL(fc_mount);
1298
vfs_kern_mount(struct file_system_type * type,int flags,const char * name,void * data)1299 struct vfsmount *vfs_kern_mount(struct file_system_type *type,
1300 int flags, const char *name,
1301 void *data)
1302 {
1303 struct fs_context *fc;
1304 struct vfsmount *mnt;
1305 int ret = 0;
1306
1307 if (!type)
1308 return ERR_PTR(-EINVAL);
1309
1310 fc = fs_context_for_mount(type, flags);
1311 if (IS_ERR(fc))
1312 return ERR_CAST(fc);
1313
1314 if (name)
1315 ret = vfs_parse_fs_string(fc, "source",
1316 name, strlen(name));
1317 if (!ret)
1318 ret = parse_monolithic_mount_data(fc, data);
1319 if (!ret)
1320 mnt = fc_mount(fc);
1321 else
1322 mnt = ERR_PTR(ret);
1323
1324 put_fs_context(fc);
1325 return mnt;
1326 }
1327 EXPORT_SYMBOL_GPL(vfs_kern_mount);
1328
clone_mnt(struct mount * old,struct dentry * root,int flag)1329 static struct mount *clone_mnt(struct mount *old, struct dentry *root,
1330 int flag)
1331 {
1332 struct super_block *sb = old->mnt.mnt_sb;
1333 struct mount *mnt;
1334 int err;
1335
1336 mnt = alloc_vfsmnt(old->mnt_devname);
1337 if (!mnt)
1338 return ERR_PTR(-ENOMEM);
1339
1340 if (flag & (CL_SLAVE | CL_PRIVATE | CL_SHARED_TO_SLAVE))
1341 mnt->mnt_group_id = 0; /* not a peer of original */
1342 else
1343 mnt->mnt_group_id = old->mnt_group_id;
1344
1345 if ((flag & CL_MAKE_SHARED) && !mnt->mnt_group_id) {
1346 err = mnt_alloc_group_id(mnt);
1347 if (err)
1348 goto out_free;
1349 }
1350
1351 mnt->mnt.mnt_flags = old->mnt.mnt_flags;
1352 mnt->mnt.mnt_flags &= ~(MNT_WRITE_HOLD|MNT_MARKED|MNT_INTERNAL);
1353
1354 atomic_inc(&sb->s_active);
1355 mnt->mnt.mnt_idmap = mnt_idmap_get(mnt_idmap(&old->mnt));
1356
1357 mnt->mnt.mnt_sb = sb;
1358 mnt->mnt.mnt_root = dget(root);
1359 mnt->mnt_mountpoint = mnt->mnt.mnt_root;
1360 mnt->mnt_parent = mnt;
1361 lock_mount_hash();
1362 list_add_tail(&mnt->mnt_instance, &sb->s_mounts);
1363 unlock_mount_hash();
1364
1365 if ((flag & CL_SLAVE) ||
1366 ((flag & CL_SHARED_TO_SLAVE) && IS_MNT_SHARED(old))) {
1367 list_add(&mnt->mnt_slave, &old->mnt_slave_list);
1368 mnt->mnt_master = old;
1369 CLEAR_MNT_SHARED(mnt);
1370 } else if (!(flag & CL_PRIVATE)) {
1371 if ((flag & CL_MAKE_SHARED) || IS_MNT_SHARED(old))
1372 list_add(&mnt->mnt_share, &old->mnt_share);
1373 if (IS_MNT_SLAVE(old))
1374 list_add(&mnt->mnt_slave, &old->mnt_slave);
1375 mnt->mnt_master = old->mnt_master;
1376 } else {
1377 CLEAR_MNT_SHARED(mnt);
1378 }
1379 if (flag & CL_MAKE_SHARED)
1380 set_mnt_shared(mnt);
1381
1382 /* stick the duplicate mount on the same expiry list
1383 * as the original if that was on one */
1384 if (flag & CL_EXPIRE) {
1385 if (!list_empty(&old->mnt_expire))
1386 list_add(&mnt->mnt_expire, &old->mnt_expire);
1387 }
1388
1389 return mnt;
1390
1391 out_free:
1392 mnt_free_id(mnt);
1393 free_vfsmnt(mnt);
1394 return ERR_PTR(err);
1395 }
1396
cleanup_mnt(struct mount * mnt)1397 static void cleanup_mnt(struct mount *mnt)
1398 {
1399 struct hlist_node *p;
1400 struct mount *m;
1401 /*
1402 * The warning here probably indicates that somebody messed
1403 * up a mnt_want/drop_write() pair. If this happens, the
1404 * filesystem was probably unable to make r/w->r/o transitions.
1405 * The locking used to deal with mnt_count decrement provides barriers,
1406 * so mnt_get_writers() below is safe.
1407 */
1408 WARN_ON(mnt_get_writers(mnt));
1409 if (unlikely(mnt->mnt_pins.first))
1410 mnt_pin_kill(mnt);
1411 hlist_for_each_entry_safe(m, p, &mnt->mnt_stuck_children, mnt_umount) {
1412 hlist_del(&m->mnt_umount);
1413 mntput(&m->mnt);
1414 }
1415 fsnotify_vfsmount_delete(&mnt->mnt);
1416 dput(mnt->mnt.mnt_root);
1417 deactivate_super(mnt->mnt.mnt_sb);
1418 mnt_free_id(mnt);
1419 call_rcu(&mnt->mnt_rcu, delayed_free_vfsmnt);
1420 }
1421
__cleanup_mnt(struct rcu_head * head)1422 static void __cleanup_mnt(struct rcu_head *head)
1423 {
1424 cleanup_mnt(container_of(head, struct mount, mnt_rcu));
1425 }
1426
1427 static LLIST_HEAD(delayed_mntput_list);
delayed_mntput(struct work_struct * unused)1428 static void delayed_mntput(struct work_struct *unused)
1429 {
1430 struct llist_node *node = llist_del_all(&delayed_mntput_list);
1431 struct mount *m, *t;
1432
1433 llist_for_each_entry_safe(m, t, node, mnt_llist)
1434 cleanup_mnt(m);
1435 }
1436 static DECLARE_DELAYED_WORK(delayed_mntput_work, delayed_mntput);
1437
mntput_no_expire(struct mount * mnt)1438 static void mntput_no_expire(struct mount *mnt)
1439 {
1440 LIST_HEAD(list);
1441 int count;
1442
1443 rcu_read_lock();
1444 if (likely(READ_ONCE(mnt->mnt_ns))) {
1445 /*
1446 * Since we don't do lock_mount_hash() here,
1447 * ->mnt_ns can change under us. However, if it's
1448 * non-NULL, then there's a reference that won't
1449 * be dropped until after an RCU delay done after
1450 * turning ->mnt_ns NULL. So if we observe it
1451 * non-NULL under rcu_read_lock(), the reference
1452 * we are dropping is not the final one.
1453 */
1454 mnt_add_count(mnt, -1);
1455 rcu_read_unlock();
1456 return;
1457 }
1458 lock_mount_hash();
1459 /*
1460 * make sure that if __legitimize_mnt() has not seen us grab
1461 * mount_lock, we'll see their refcount increment here.
1462 */
1463 smp_mb();
1464 mnt_add_count(mnt, -1);
1465 count = mnt_get_count(mnt);
1466 if (count != 0) {
1467 WARN_ON(count < 0);
1468 rcu_read_unlock();
1469 unlock_mount_hash();
1470 return;
1471 }
1472 if (unlikely(mnt->mnt.mnt_flags & MNT_DOOMED)) {
1473 rcu_read_unlock();
1474 unlock_mount_hash();
1475 return;
1476 }
1477 mnt->mnt.mnt_flags |= MNT_DOOMED;
1478 rcu_read_unlock();
1479
1480 list_del(&mnt->mnt_instance);
1481
1482 if (unlikely(!list_empty(&mnt->mnt_mounts))) {
1483 struct mount *p, *tmp;
1484 list_for_each_entry_safe(p, tmp, &mnt->mnt_mounts, mnt_child) {
1485 __put_mountpoint(unhash_mnt(p), &list);
1486 hlist_add_head(&p->mnt_umount, &mnt->mnt_stuck_children);
1487 }
1488 }
1489 unlock_mount_hash();
1490 shrink_dentry_list(&list);
1491
1492 if (likely(!(mnt->mnt.mnt_flags & MNT_INTERNAL))) {
1493 struct task_struct *task = current;
1494 if (likely(!(task->flags & PF_KTHREAD))) {
1495 init_task_work(&mnt->mnt_rcu, __cleanup_mnt);
1496 if (!task_work_add(task, &mnt->mnt_rcu, TWA_RESUME))
1497 return;
1498 }
1499 if (llist_add(&mnt->mnt_llist, &delayed_mntput_list))
1500 schedule_delayed_work(&delayed_mntput_work, 1);
1501 return;
1502 }
1503 cleanup_mnt(mnt);
1504 }
1505
mntput(struct vfsmount * mnt)1506 void mntput(struct vfsmount *mnt)
1507 {
1508 if (mnt) {
1509 struct mount *m = real_mount(mnt);
1510 /* avoid cacheline pingpong */
1511 if (unlikely(m->mnt_expiry_mark))
1512 WRITE_ONCE(m->mnt_expiry_mark, 0);
1513 mntput_no_expire(m);
1514 }
1515 }
1516 EXPORT_SYMBOL(mntput);
1517
mntget(struct vfsmount * mnt)1518 struct vfsmount *mntget(struct vfsmount *mnt)
1519 {
1520 if (mnt)
1521 mnt_add_count(real_mount(mnt), 1);
1522 return mnt;
1523 }
1524 EXPORT_SYMBOL(mntget);
1525
1526 /*
1527 * Make a mount point inaccessible to new lookups.
1528 * Because there may still be current users, the caller MUST WAIT
1529 * for an RCU grace period before destroying the mount point.
1530 */
mnt_make_shortterm(struct vfsmount * mnt)1531 void mnt_make_shortterm(struct vfsmount *mnt)
1532 {
1533 if (mnt)
1534 real_mount(mnt)->mnt_ns = NULL;
1535 }
1536
1537 /**
1538 * path_is_mountpoint() - Check if path is a mount in the current namespace.
1539 * @path: path to check
1540 *
1541 * d_mountpoint() can only be used reliably to establish if a dentry is
1542 * not mounted in any namespace and that common case is handled inline.
1543 * d_mountpoint() isn't aware of the possibility there may be multiple
1544 * mounts using a given dentry in a different namespace. This function
1545 * checks if the passed in path is a mountpoint rather than the dentry
1546 * alone.
1547 */
path_is_mountpoint(const struct path * path)1548 bool path_is_mountpoint(const struct path *path)
1549 {
1550 unsigned seq;
1551 bool res;
1552
1553 if (!d_mountpoint(path->dentry))
1554 return false;
1555
1556 rcu_read_lock();
1557 do {
1558 seq = read_seqbegin(&mount_lock);
1559 res = __path_is_mountpoint(path);
1560 } while (read_seqretry(&mount_lock, seq));
1561 rcu_read_unlock();
1562
1563 return res;
1564 }
1565 EXPORT_SYMBOL(path_is_mountpoint);
1566
mnt_clone_internal(const struct path * path)1567 struct vfsmount *mnt_clone_internal(const struct path *path)
1568 {
1569 struct mount *p;
1570 p = clone_mnt(real_mount(path->mnt), path->dentry, CL_PRIVATE);
1571 if (IS_ERR(p))
1572 return ERR_CAST(p);
1573 p->mnt.mnt_flags |= MNT_INTERNAL;
1574 return &p->mnt;
1575 }
1576
1577 /*
1578 * Returns the mount which either has the specified mnt_id, or has the next
1579 * smallest id afer the specified one.
1580 */
mnt_find_id_at(struct mnt_namespace * ns,u64 mnt_id)1581 static struct mount *mnt_find_id_at(struct mnt_namespace *ns, u64 mnt_id)
1582 {
1583 struct rb_node *node = ns->mounts.rb_node;
1584 struct mount *ret = NULL;
1585
1586 while (node) {
1587 struct mount *m = node_to_mount(node);
1588
1589 if (mnt_id <= m->mnt_id_unique) {
1590 ret = node_to_mount(node);
1591 if (mnt_id == m->mnt_id_unique)
1592 break;
1593 node = node->rb_left;
1594 } else {
1595 node = node->rb_right;
1596 }
1597 }
1598 return ret;
1599 }
1600
1601 /*
1602 * Returns the mount which either has the specified mnt_id, or has the next
1603 * greater id before the specified one.
1604 */
mnt_find_id_at_reverse(struct mnt_namespace * ns,u64 mnt_id)1605 static struct mount *mnt_find_id_at_reverse(struct mnt_namespace *ns, u64 mnt_id)
1606 {
1607 struct rb_node *node = ns->mounts.rb_node;
1608 struct mount *ret = NULL;
1609
1610 while (node) {
1611 struct mount *m = node_to_mount(node);
1612
1613 if (mnt_id >= m->mnt_id_unique) {
1614 ret = node_to_mount(node);
1615 if (mnt_id == m->mnt_id_unique)
1616 break;
1617 node = node->rb_right;
1618 } else {
1619 node = node->rb_left;
1620 }
1621 }
1622 return ret;
1623 }
1624
1625 #ifdef CONFIG_PROC_FS
1626
1627 /* iterator; we want it to have access to namespace_sem, thus here... */
m_start(struct seq_file * m,loff_t * pos)1628 static void *m_start(struct seq_file *m, loff_t *pos)
1629 {
1630 struct proc_mounts *p = m->private;
1631
1632 down_read(&namespace_sem);
1633
1634 return mnt_find_id_at(p->ns, *pos);
1635 }
1636
m_next(struct seq_file * m,void * v,loff_t * pos)1637 static void *m_next(struct seq_file *m, void *v, loff_t *pos)
1638 {
1639 struct mount *next = NULL, *mnt = v;
1640 struct rb_node *node = rb_next(&mnt->mnt_node);
1641
1642 ++*pos;
1643 if (node) {
1644 next = node_to_mount(node);
1645 *pos = next->mnt_id_unique;
1646 }
1647 return next;
1648 }
1649
m_stop(struct seq_file * m,void * v)1650 static void m_stop(struct seq_file *m, void *v)
1651 {
1652 up_read(&namespace_sem);
1653 }
1654
m_show(struct seq_file * m,void * v)1655 static int m_show(struct seq_file *m, void *v)
1656 {
1657 struct proc_mounts *p = m->private;
1658 struct mount *r = v;
1659 return p->show(m, &r->mnt);
1660 }
1661
1662 const struct seq_operations mounts_op = {
1663 .start = m_start,
1664 .next = m_next,
1665 .stop = m_stop,
1666 .show = m_show,
1667 };
1668
1669 #endif /* CONFIG_PROC_FS */
1670
1671 /**
1672 * may_umount_tree - check if a mount tree is busy
1673 * @m: root of mount tree
1674 *
1675 * This is called to check if a tree of mounts has any
1676 * open files, pwds, chroots or sub mounts that are
1677 * busy.
1678 */
may_umount_tree(struct vfsmount * m)1679 int may_umount_tree(struct vfsmount *m)
1680 {
1681 struct mount *mnt = real_mount(m);
1682 int actual_refs = 0;
1683 int minimum_refs = 0;
1684 struct mount *p;
1685 BUG_ON(!m);
1686
1687 /* write lock needed for mnt_get_count */
1688 lock_mount_hash();
1689 for (p = mnt; p; p = next_mnt(p, mnt)) {
1690 actual_refs += mnt_get_count(p);
1691 minimum_refs += 2;
1692 }
1693 unlock_mount_hash();
1694
1695 if (actual_refs > minimum_refs)
1696 return 0;
1697
1698 return 1;
1699 }
1700
1701 EXPORT_SYMBOL(may_umount_tree);
1702
1703 /**
1704 * may_umount - check if a mount point is busy
1705 * @mnt: root of mount
1706 *
1707 * This is called to check if a mount point has any
1708 * open files, pwds, chroots or sub mounts. If the
1709 * mount has sub mounts this will return busy
1710 * regardless of whether the sub mounts are busy.
1711 *
1712 * Doesn't take quota and stuff into account. IOW, in some cases it will
1713 * give false negatives. The main reason why it's here is that we need
1714 * a non-destructive way to look for easily umountable filesystems.
1715 */
may_umount(struct vfsmount * mnt)1716 int may_umount(struct vfsmount *mnt)
1717 {
1718 int ret = 1;
1719 down_read(&namespace_sem);
1720 lock_mount_hash();
1721 if (propagate_mount_busy(real_mount(mnt), 2))
1722 ret = 0;
1723 unlock_mount_hash();
1724 up_read(&namespace_sem);
1725 return ret;
1726 }
1727
1728 EXPORT_SYMBOL(may_umount);
1729
1730 #ifdef CONFIG_FSNOTIFY
mnt_notify(struct mount * p)1731 static void mnt_notify(struct mount *p)
1732 {
1733 if (!p->prev_ns && p->mnt_ns) {
1734 fsnotify_mnt_attach(p->mnt_ns, &p->mnt);
1735 } else if (p->prev_ns && !p->mnt_ns) {
1736 fsnotify_mnt_detach(p->prev_ns, &p->mnt);
1737 } else if (p->prev_ns == p->mnt_ns) {
1738 fsnotify_mnt_move(p->mnt_ns, &p->mnt);
1739 } else {
1740 fsnotify_mnt_detach(p->prev_ns, &p->mnt);
1741 fsnotify_mnt_attach(p->mnt_ns, &p->mnt);
1742 }
1743 p->prev_ns = p->mnt_ns;
1744 }
1745
notify_mnt_list(void)1746 static void notify_mnt_list(void)
1747 {
1748 struct mount *m, *tmp;
1749 /*
1750 * Notify about mounts that were added/reparented/detached/remain
1751 * connected after unmount.
1752 */
1753 list_for_each_entry_safe(m, tmp, ¬ify_list, to_notify) {
1754 mnt_notify(m);
1755 list_del_init(&m->to_notify);
1756 }
1757 }
1758
need_notify_mnt_list(void)1759 static bool need_notify_mnt_list(void)
1760 {
1761 return !list_empty(¬ify_list);
1762 }
1763 #else
notify_mnt_list(void)1764 static void notify_mnt_list(void)
1765 {
1766 }
1767
need_notify_mnt_list(void)1768 static bool need_notify_mnt_list(void)
1769 {
1770 return false;
1771 }
1772 #endif
1773
namespace_unlock(void)1774 static void namespace_unlock(void)
1775 {
1776 struct hlist_head head;
1777 struct hlist_node *p;
1778 struct mount *m;
1779 LIST_HEAD(list);
1780
1781 hlist_move_list(&unmounted, &head);
1782 list_splice_init(&ex_mountpoints, &list);
1783
1784 if (need_notify_mnt_list()) {
1785 /*
1786 * No point blocking out concurrent readers while notifications
1787 * are sent. This will also allow statmount()/listmount() to run
1788 * concurrently.
1789 */
1790 downgrade_write(&namespace_sem);
1791 notify_mnt_list();
1792 up_read(&namespace_sem);
1793 } else {
1794 up_write(&namespace_sem);
1795 }
1796
1797 shrink_dentry_list(&list);
1798
1799 if (likely(hlist_empty(&head)))
1800 return;
1801
1802 synchronize_rcu_expedited();
1803
1804 hlist_for_each_entry_safe(m, p, &head, mnt_umount) {
1805 hlist_del(&m->mnt_umount);
1806 mntput(&m->mnt);
1807 }
1808 }
1809
namespace_lock(void)1810 static inline void namespace_lock(void)
1811 {
1812 down_write(&namespace_sem);
1813 }
1814
1815 DEFINE_GUARD(namespace_lock, struct rw_semaphore *, namespace_lock(), namespace_unlock())
1816
1817 enum umount_tree_flags {
1818 UMOUNT_SYNC = 1,
1819 UMOUNT_PROPAGATE = 2,
1820 UMOUNT_CONNECTED = 4,
1821 };
1822
disconnect_mount(struct mount * mnt,enum umount_tree_flags how)1823 static bool disconnect_mount(struct mount *mnt, enum umount_tree_flags how)
1824 {
1825 /* Leaving mounts connected is only valid for lazy umounts */
1826 if (how & UMOUNT_SYNC)
1827 return true;
1828
1829 /* A mount without a parent has nothing to be connected to */
1830 if (!mnt_has_parent(mnt))
1831 return true;
1832
1833 /* Because the reference counting rules change when mounts are
1834 * unmounted and connected, umounted mounts may not be
1835 * connected to mounted mounts.
1836 */
1837 if (!(mnt->mnt_parent->mnt.mnt_flags & MNT_UMOUNT))
1838 return true;
1839
1840 /* Has it been requested that the mount remain connected? */
1841 if (how & UMOUNT_CONNECTED)
1842 return false;
1843
1844 /* Is the mount locked such that it needs to remain connected? */
1845 if (IS_MNT_LOCKED(mnt))
1846 return false;
1847
1848 /* By default disconnect the mount */
1849 return true;
1850 }
1851
1852 /*
1853 * mount_lock must be held
1854 * namespace_sem must be held for write
1855 */
umount_tree(struct mount * mnt,enum umount_tree_flags how)1856 static void umount_tree(struct mount *mnt, enum umount_tree_flags how)
1857 {
1858 LIST_HEAD(tmp_list);
1859 struct mount *p;
1860
1861 if (how & UMOUNT_PROPAGATE)
1862 propagate_mount_unlock(mnt);
1863
1864 /* Gather the mounts to umount */
1865 for (p = mnt; p; p = next_mnt(p, mnt)) {
1866 p->mnt.mnt_flags |= MNT_UMOUNT;
1867 if (mnt_ns_attached(p))
1868 move_from_ns(p, &tmp_list);
1869 else
1870 list_move(&p->mnt_list, &tmp_list);
1871 }
1872
1873 /* Hide the mounts from mnt_mounts */
1874 list_for_each_entry(p, &tmp_list, mnt_list) {
1875 list_del_init(&p->mnt_child);
1876 }
1877
1878 /* Add propagated mounts to the tmp_list */
1879 if (how & UMOUNT_PROPAGATE)
1880 propagate_umount(&tmp_list);
1881
1882 while (!list_empty(&tmp_list)) {
1883 struct mnt_namespace *ns;
1884 bool disconnect;
1885 p = list_first_entry(&tmp_list, struct mount, mnt_list);
1886 list_del_init(&p->mnt_expire);
1887 list_del_init(&p->mnt_list);
1888 ns = p->mnt_ns;
1889 if (ns) {
1890 ns->nr_mounts--;
1891 __touch_mnt_namespace(ns);
1892 }
1893 p->mnt_ns = NULL;
1894 if (how & UMOUNT_SYNC)
1895 p->mnt.mnt_flags |= MNT_SYNC_UMOUNT;
1896
1897 disconnect = disconnect_mount(p, how);
1898 if (mnt_has_parent(p)) {
1899 mnt_add_count(p->mnt_parent, -1);
1900 if (!disconnect) {
1901 /* Don't forget about p */
1902 list_add_tail(&p->mnt_child, &p->mnt_parent->mnt_mounts);
1903 } else {
1904 umount_mnt(p);
1905 }
1906 }
1907 change_mnt_propagation(p, MS_PRIVATE);
1908 if (disconnect)
1909 hlist_add_head(&p->mnt_umount, &unmounted);
1910
1911 /*
1912 * At this point p->mnt_ns is NULL, notification will be queued
1913 * only if
1914 *
1915 * - p->prev_ns is non-NULL *and*
1916 * - p->prev_ns->n_fsnotify_marks is non-NULL
1917 *
1918 * This will preclude queuing the mount if this is a cleanup
1919 * after a failed copy_tree() or destruction of an anonymous
1920 * namespace, etc.
1921 */
1922 mnt_notify_add(p);
1923 }
1924 }
1925
1926 static void shrink_submounts(struct mount *mnt);
1927
do_umount_root(struct super_block * sb)1928 static int do_umount_root(struct super_block *sb)
1929 {
1930 int ret = 0;
1931
1932 down_write(&sb->s_umount);
1933 if (!sb_rdonly(sb)) {
1934 struct fs_context *fc;
1935
1936 fc = fs_context_for_reconfigure(sb->s_root, SB_RDONLY,
1937 SB_RDONLY);
1938 if (IS_ERR(fc)) {
1939 ret = PTR_ERR(fc);
1940 } else {
1941 ret = parse_monolithic_mount_data(fc, NULL);
1942 if (!ret)
1943 ret = reconfigure_super(fc);
1944 put_fs_context(fc);
1945 }
1946 }
1947 up_write(&sb->s_umount);
1948 return ret;
1949 }
1950
do_umount(struct mount * mnt,int flags)1951 static int do_umount(struct mount *mnt, int flags)
1952 {
1953 struct super_block *sb = mnt->mnt.mnt_sb;
1954 int retval;
1955
1956 retval = security_sb_umount(&mnt->mnt, flags);
1957 if (retval)
1958 return retval;
1959
1960 /*
1961 * Allow userspace to request a mountpoint be expired rather than
1962 * unmounting unconditionally. Unmount only happens if:
1963 * (1) the mark is already set (the mark is cleared by mntput())
1964 * (2) the usage count == 1 [parent vfsmount] + 1 [sys_umount]
1965 */
1966 if (flags & MNT_EXPIRE) {
1967 if (&mnt->mnt == current->fs->root.mnt ||
1968 flags & (MNT_FORCE | MNT_DETACH))
1969 return -EINVAL;
1970
1971 /*
1972 * probably don't strictly need the lock here if we examined
1973 * all race cases, but it's a slowpath.
1974 */
1975 lock_mount_hash();
1976 if (mnt_get_count(mnt) != 2) {
1977 unlock_mount_hash();
1978 return -EBUSY;
1979 }
1980 unlock_mount_hash();
1981
1982 if (!xchg(&mnt->mnt_expiry_mark, 1))
1983 return -EAGAIN;
1984 }
1985
1986 /*
1987 * If we may have to abort operations to get out of this
1988 * mount, and they will themselves hold resources we must
1989 * allow the fs to do things. In the Unix tradition of
1990 * 'Gee thats tricky lets do it in userspace' the umount_begin
1991 * might fail to complete on the first run through as other tasks
1992 * must return, and the like. Thats for the mount program to worry
1993 * about for the moment.
1994 */
1995
1996 if (flags & MNT_FORCE && sb->s_op->umount_begin) {
1997 sb->s_op->umount_begin(sb);
1998 }
1999
2000 /*
2001 * No sense to grab the lock for this test, but test itself looks
2002 * somewhat bogus. Suggestions for better replacement?
2003 * Ho-hum... In principle, we might treat that as umount + switch
2004 * to rootfs. GC would eventually take care of the old vfsmount.
2005 * Actually it makes sense, especially if rootfs would contain a
2006 * /reboot - static binary that would close all descriptors and
2007 * call reboot(9). Then init(8) could umount root and exec /reboot.
2008 */
2009 if (&mnt->mnt == current->fs->root.mnt && !(flags & MNT_DETACH)) {
2010 /*
2011 * Special case for "unmounting" root ...
2012 * we just try to remount it readonly.
2013 */
2014 if (!ns_capable(sb->s_user_ns, CAP_SYS_ADMIN))
2015 return -EPERM;
2016 return do_umount_root(sb);
2017 }
2018
2019 namespace_lock();
2020 lock_mount_hash();
2021
2022 /* Recheck MNT_LOCKED with the locks held */
2023 retval = -EINVAL;
2024 if (mnt->mnt.mnt_flags & MNT_LOCKED)
2025 goto out;
2026
2027 event++;
2028 if (flags & MNT_DETACH) {
2029 if (mnt_ns_attached(mnt) || !list_empty(&mnt->mnt_list))
2030 umount_tree(mnt, UMOUNT_PROPAGATE);
2031 retval = 0;
2032 } else {
2033 smp_mb(); // paired with __legitimize_mnt()
2034 shrink_submounts(mnt);
2035 retval = -EBUSY;
2036 if (!propagate_mount_busy(mnt, 2)) {
2037 if (mnt_ns_attached(mnt) || !list_empty(&mnt->mnt_list))
2038 umount_tree(mnt, UMOUNT_PROPAGATE|UMOUNT_SYNC);
2039 retval = 0;
2040 }
2041 }
2042 out:
2043 unlock_mount_hash();
2044 namespace_unlock();
2045 return retval;
2046 }
2047
2048 /*
2049 * __detach_mounts - lazily unmount all mounts on the specified dentry
2050 *
2051 * During unlink, rmdir, and d_drop it is possible to loose the path
2052 * to an existing mountpoint, and wind up leaking the mount.
2053 * detach_mounts allows lazily unmounting those mounts instead of
2054 * leaking them.
2055 *
2056 * The caller may hold dentry->d_inode->i_mutex.
2057 */
__detach_mounts(struct dentry * dentry)2058 void __detach_mounts(struct dentry *dentry)
2059 {
2060 struct mountpoint *mp;
2061 struct mount *mnt;
2062
2063 namespace_lock();
2064 lock_mount_hash();
2065 mp = lookup_mountpoint(dentry);
2066 if (!mp)
2067 goto out_unlock;
2068
2069 event++;
2070 while (!hlist_empty(&mp->m_list)) {
2071 mnt = hlist_entry(mp->m_list.first, struct mount, mnt_mp_list);
2072 if (mnt->mnt.mnt_flags & MNT_UMOUNT) {
2073 umount_mnt(mnt);
2074 hlist_add_head(&mnt->mnt_umount, &unmounted);
2075 }
2076 else umount_tree(mnt, UMOUNT_CONNECTED);
2077 }
2078 put_mountpoint(mp);
2079 out_unlock:
2080 unlock_mount_hash();
2081 namespace_unlock();
2082 }
2083
2084 /*
2085 * Is the caller allowed to modify his namespace?
2086 */
may_mount(void)2087 bool may_mount(void)
2088 {
2089 return ns_capable(current->nsproxy->mnt_ns->user_ns, CAP_SYS_ADMIN);
2090 }
2091
warn_mandlock(void)2092 static void warn_mandlock(void)
2093 {
2094 pr_warn_once("=======================================================\n"
2095 "WARNING: The mand mount option has been deprecated and\n"
2096 " and is ignored by this kernel. Remove the mand\n"
2097 " option from the mount to silence this warning.\n"
2098 "=======================================================\n");
2099 }
2100
can_umount(const struct path * path,int flags)2101 static int can_umount(const struct path *path, int flags)
2102 {
2103 struct mount *mnt = real_mount(path->mnt);
2104 struct super_block *sb = path->dentry->d_sb;
2105
2106 if (!may_mount())
2107 return -EPERM;
2108 if (!path_mounted(path))
2109 return -EINVAL;
2110 if (!check_mnt(mnt))
2111 return -EINVAL;
2112 if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */
2113 return -EINVAL;
2114 if (flags & MNT_FORCE && !ns_capable(sb->s_user_ns, CAP_SYS_ADMIN))
2115 return -EPERM;
2116 return 0;
2117 }
2118
2119 // caller is responsible for flags being sane
path_umount(struct path * path,int flags)2120 int path_umount(struct path *path, int flags)
2121 {
2122 struct mount *mnt = real_mount(path->mnt);
2123 int ret;
2124
2125 ret = can_umount(path, flags);
2126 if (!ret)
2127 ret = do_umount(mnt, flags);
2128
2129 /* we mustn't call path_put() as that would clear mnt_expiry_mark */
2130 dput(path->dentry);
2131 mntput_no_expire(mnt);
2132 return ret;
2133 }
2134
ksys_umount(char __user * name,int flags)2135 static int ksys_umount(char __user *name, int flags)
2136 {
2137 int lookup_flags = LOOKUP_MOUNTPOINT;
2138 struct path path;
2139 int ret;
2140
2141 // basic validity checks done first
2142 if (flags & ~(MNT_FORCE | MNT_DETACH | MNT_EXPIRE | UMOUNT_NOFOLLOW))
2143 return -EINVAL;
2144
2145 if (!(flags & UMOUNT_NOFOLLOW))
2146 lookup_flags |= LOOKUP_FOLLOW;
2147 ret = user_path_at(AT_FDCWD, name, lookup_flags, &path);
2148 if (ret)
2149 return ret;
2150 return path_umount(&path, flags);
2151 }
2152
SYSCALL_DEFINE2(umount,char __user *,name,int,flags)2153 SYSCALL_DEFINE2(umount, char __user *, name, int, flags)
2154 {
2155 return ksys_umount(name, flags);
2156 }
2157
2158 #ifdef __ARCH_WANT_SYS_OLDUMOUNT
2159
2160 /*
2161 * The 2.0 compatible umount. No flags.
2162 */
SYSCALL_DEFINE1(oldumount,char __user *,name)2163 SYSCALL_DEFINE1(oldumount, char __user *, name)
2164 {
2165 return ksys_umount(name, 0);
2166 }
2167
2168 #endif
2169
is_mnt_ns_file(struct dentry * dentry)2170 static bool is_mnt_ns_file(struct dentry *dentry)
2171 {
2172 struct ns_common *ns;
2173
2174 /* Is this a proxy for a mount namespace? */
2175 if (dentry->d_op != &ns_dentry_operations)
2176 return false;
2177
2178 ns = d_inode(dentry)->i_private;
2179
2180 return ns->ops == &mntns_operations;
2181 }
2182
from_mnt_ns(struct mnt_namespace * mnt)2183 struct ns_common *from_mnt_ns(struct mnt_namespace *mnt)
2184 {
2185 return &mnt->ns;
2186 }
2187
get_sequential_mnt_ns(struct mnt_namespace * mntns,bool previous)2188 struct mnt_namespace *get_sequential_mnt_ns(struct mnt_namespace *mntns, bool previous)
2189 {
2190 guard(rcu)();
2191
2192 for (;;) {
2193 struct list_head *list;
2194
2195 if (previous)
2196 list = rcu_dereference(list_bidir_prev_rcu(&mntns->mnt_ns_list));
2197 else
2198 list = rcu_dereference(list_next_rcu(&mntns->mnt_ns_list));
2199 if (list_is_head(list, &mnt_ns_list))
2200 return ERR_PTR(-ENOENT);
2201
2202 mntns = list_entry_rcu(list, struct mnt_namespace, mnt_ns_list);
2203
2204 /*
2205 * The last passive reference count is put with RCU
2206 * delay so accessing the mount namespace is not just
2207 * safe but all relevant members are still valid.
2208 */
2209 if (!ns_capable_noaudit(mntns->user_ns, CAP_SYS_ADMIN))
2210 continue;
2211
2212 /*
2213 * We need an active reference count as we're persisting
2214 * the mount namespace and it might already be on its
2215 * deathbed.
2216 */
2217 if (!refcount_inc_not_zero(&mntns->ns.count))
2218 continue;
2219
2220 return mntns;
2221 }
2222 }
2223
mnt_ns_from_dentry(struct dentry * dentry)2224 struct mnt_namespace *mnt_ns_from_dentry(struct dentry *dentry)
2225 {
2226 if (!is_mnt_ns_file(dentry))
2227 return NULL;
2228
2229 return to_mnt_ns(get_proc_ns(dentry->d_inode));
2230 }
2231
mnt_ns_loop(struct dentry * dentry)2232 static bool mnt_ns_loop(struct dentry *dentry)
2233 {
2234 /* Could bind mounting the mount namespace inode cause a
2235 * mount namespace loop?
2236 */
2237 struct mnt_namespace *mnt_ns = mnt_ns_from_dentry(dentry);
2238
2239 if (!mnt_ns)
2240 return false;
2241
2242 return current->nsproxy->mnt_ns->seq >= mnt_ns->seq;
2243 }
2244
copy_tree(struct mount * src_root,struct dentry * dentry,int flag)2245 struct mount *copy_tree(struct mount *src_root, struct dentry *dentry,
2246 int flag)
2247 {
2248 struct mount *res, *src_parent, *src_root_child, *src_mnt,
2249 *dst_parent, *dst_mnt;
2250
2251 if (!(flag & CL_COPY_UNBINDABLE) && IS_MNT_UNBINDABLE(src_root))
2252 return ERR_PTR(-EINVAL);
2253
2254 if (!(flag & CL_COPY_MNT_NS_FILE) && is_mnt_ns_file(dentry))
2255 return ERR_PTR(-EINVAL);
2256
2257 res = dst_mnt = clone_mnt(src_root, dentry, flag);
2258 if (IS_ERR(dst_mnt))
2259 return dst_mnt;
2260
2261 src_parent = src_root;
2262 dst_mnt->mnt_mountpoint = src_root->mnt_mountpoint;
2263
2264 list_for_each_entry(src_root_child, &src_root->mnt_mounts, mnt_child) {
2265 if (!is_subdir(src_root_child->mnt_mountpoint, dentry))
2266 continue;
2267
2268 for (src_mnt = src_root_child; src_mnt;
2269 src_mnt = next_mnt(src_mnt, src_root_child)) {
2270 if (!(flag & CL_COPY_UNBINDABLE) &&
2271 IS_MNT_UNBINDABLE(src_mnt)) {
2272 if (src_mnt->mnt.mnt_flags & MNT_LOCKED) {
2273 /* Both unbindable and locked. */
2274 dst_mnt = ERR_PTR(-EPERM);
2275 goto out;
2276 } else {
2277 src_mnt = skip_mnt_tree(src_mnt);
2278 continue;
2279 }
2280 }
2281 if (!(flag & CL_COPY_MNT_NS_FILE) &&
2282 is_mnt_ns_file(src_mnt->mnt.mnt_root)) {
2283 src_mnt = skip_mnt_tree(src_mnt);
2284 continue;
2285 }
2286 while (src_parent != src_mnt->mnt_parent) {
2287 src_parent = src_parent->mnt_parent;
2288 dst_mnt = dst_mnt->mnt_parent;
2289 }
2290
2291 src_parent = src_mnt;
2292 dst_parent = dst_mnt;
2293 dst_mnt = clone_mnt(src_mnt, src_mnt->mnt.mnt_root, flag);
2294 if (IS_ERR(dst_mnt))
2295 goto out;
2296 lock_mount_hash();
2297 list_add_tail(&dst_mnt->mnt_list, &res->mnt_list);
2298 attach_mnt(dst_mnt, dst_parent, src_parent->mnt_mp, false);
2299 unlock_mount_hash();
2300 }
2301 }
2302 return res;
2303
2304 out:
2305 if (res) {
2306 lock_mount_hash();
2307 umount_tree(res, UMOUNT_SYNC);
2308 unlock_mount_hash();
2309 }
2310 return dst_mnt;
2311 }
2312
extend_array(struct path ** res,struct path ** to_free,unsigned n,unsigned * count,unsigned new_count)2313 static inline bool extend_array(struct path **res, struct path **to_free,
2314 unsigned n, unsigned *count, unsigned new_count)
2315 {
2316 struct path *p;
2317
2318 if (likely(n < *count))
2319 return true;
2320 p = kmalloc_array(new_count, sizeof(struct path), GFP_KERNEL);
2321 if (p && *count)
2322 memcpy(p, *res, *count * sizeof(struct path));
2323 *count = new_count;
2324 kfree(*to_free);
2325 *to_free = *res = p;
2326 return p;
2327 }
2328
collect_paths(const struct path * path,struct path * prealloc,unsigned count)2329 struct path *collect_paths(const struct path *path,
2330 struct path *prealloc, unsigned count)
2331 {
2332 struct mount *root = real_mount(path->mnt);
2333 struct mount *child;
2334 struct path *res = prealloc, *to_free = NULL;
2335 unsigned n = 0;
2336
2337 guard(rwsem_read)(&namespace_sem);
2338
2339 if (!check_mnt(root))
2340 return ERR_PTR(-EINVAL);
2341 if (!extend_array(&res, &to_free, 0, &count, 32))
2342 return ERR_PTR(-ENOMEM);
2343 res[n++] = *path;
2344 list_for_each_entry(child, &root->mnt_mounts, mnt_child) {
2345 if (!is_subdir(child->mnt_mountpoint, path->dentry))
2346 continue;
2347 for (struct mount *m = child; m; m = next_mnt(m, child)) {
2348 if (!extend_array(&res, &to_free, n, &count, 2 * count))
2349 return ERR_PTR(-ENOMEM);
2350 res[n].mnt = &m->mnt;
2351 res[n].dentry = m->mnt.mnt_root;
2352 n++;
2353 }
2354 }
2355 if (!extend_array(&res, &to_free, n, &count, count + 1))
2356 return ERR_PTR(-ENOMEM);
2357 memset(res + n, 0, (count - n) * sizeof(struct path));
2358 for (struct path *p = res; p->mnt; p++)
2359 path_get(p);
2360 return res;
2361 }
2362
drop_collected_paths(struct path * paths,struct path * prealloc)2363 void drop_collected_paths(struct path *paths, struct path *prealloc)
2364 {
2365 for (struct path *p = paths; p->mnt; p++)
2366 path_put(p);
2367 if (paths != prealloc)
2368 kfree(paths);
2369 }
2370
2371 static void free_mnt_ns(struct mnt_namespace *);
2372 static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *, bool);
2373
must_dissolve(struct mnt_namespace * mnt_ns)2374 static inline bool must_dissolve(struct mnt_namespace *mnt_ns)
2375 {
2376 /*
2377 * This mount belonged to an anonymous mount namespace
2378 * but was moved to a non-anonymous mount namespace and
2379 * then unmounted.
2380 */
2381 if (unlikely(!mnt_ns))
2382 return false;
2383
2384 /*
2385 * This mount belongs to a non-anonymous mount namespace
2386 * and we know that such a mount can never transition to
2387 * an anonymous mount namespace again.
2388 */
2389 if (!is_anon_ns(mnt_ns)) {
2390 /*
2391 * A detached mount either belongs to an anonymous mount
2392 * namespace or a non-anonymous mount namespace. It
2393 * should never belong to something purely internal.
2394 */
2395 VFS_WARN_ON_ONCE(mnt_ns == MNT_NS_INTERNAL);
2396 return false;
2397 }
2398
2399 return true;
2400 }
2401
dissolve_on_fput(struct vfsmount * mnt)2402 void dissolve_on_fput(struct vfsmount *mnt)
2403 {
2404 struct mnt_namespace *ns;
2405 struct mount *m = real_mount(mnt);
2406
2407 scoped_guard(rcu) {
2408 if (!must_dissolve(READ_ONCE(m->mnt_ns)))
2409 return;
2410 }
2411
2412 scoped_guard(namespace_lock, &namespace_sem) {
2413 ns = m->mnt_ns;
2414 if (!must_dissolve(ns))
2415 return;
2416
2417 /*
2418 * After must_dissolve() we know that this is a detached
2419 * mount in an anonymous mount namespace.
2420 *
2421 * Now when mnt_has_parent() reports that this mount
2422 * tree has a parent, we know that this anonymous mount
2423 * tree has been moved to another anonymous mount
2424 * namespace.
2425 *
2426 * So when closing this file we cannot unmount the mount
2427 * tree. This will be done when the file referring to
2428 * the root of the anonymous mount namespace will be
2429 * closed (It could already be closed but it would sync
2430 * on @namespace_sem and wait for us to finish.).
2431 */
2432 if (mnt_has_parent(m))
2433 return;
2434
2435 lock_mount_hash();
2436 umount_tree(m, UMOUNT_CONNECTED);
2437 unlock_mount_hash();
2438 }
2439
2440 /* Make sure we notice when we leak mounts. */
2441 VFS_WARN_ON_ONCE(!mnt_ns_empty(ns));
2442 free_mnt_ns(ns);
2443 }
2444
__has_locked_children(struct mount * mnt,struct dentry * dentry)2445 static bool __has_locked_children(struct mount *mnt, struct dentry *dentry)
2446 {
2447 struct mount *child;
2448
2449 list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) {
2450 if (!is_subdir(child->mnt_mountpoint, dentry))
2451 continue;
2452
2453 if (child->mnt.mnt_flags & MNT_LOCKED)
2454 return true;
2455 }
2456 return false;
2457 }
2458
has_locked_children(struct mount * mnt,struct dentry * dentry)2459 bool has_locked_children(struct mount *mnt, struct dentry *dentry)
2460 {
2461 bool res;
2462
2463 read_seqlock_excl(&mount_lock);
2464 res = __has_locked_children(mnt, dentry);
2465 read_sequnlock_excl(&mount_lock);
2466 return res;
2467 }
2468
2469 /*
2470 * Check that there aren't references to earlier/same mount namespaces in the
2471 * specified subtree. Such references can act as pins for mount namespaces
2472 * that aren't checked by the mount-cycle checking code, thereby allowing
2473 * cycles to be made.
2474 */
check_for_nsfs_mounts(struct mount * subtree)2475 static bool check_for_nsfs_mounts(struct mount *subtree)
2476 {
2477 struct mount *p;
2478 bool ret = false;
2479
2480 lock_mount_hash();
2481 for (p = subtree; p; p = next_mnt(p, subtree))
2482 if (mnt_ns_loop(p->mnt.mnt_root))
2483 goto out;
2484
2485 ret = true;
2486 out:
2487 unlock_mount_hash();
2488 return ret;
2489 }
2490
2491 /**
2492 * clone_private_mount - create a private clone of a path
2493 * @path: path to clone
2494 *
2495 * This creates a new vfsmount, which will be the clone of @path. The new mount
2496 * will not be attached anywhere in the namespace and will be private (i.e.
2497 * changes to the originating mount won't be propagated into this).
2498 *
2499 * This assumes caller has called or done the equivalent of may_mount().
2500 *
2501 * Release with mntput().
2502 */
clone_private_mount(const struct path * path)2503 struct vfsmount *clone_private_mount(const struct path *path)
2504 {
2505 struct mount *old_mnt = real_mount(path->mnt);
2506 struct mount *new_mnt;
2507
2508 guard(rwsem_read)(&namespace_sem);
2509
2510 if (IS_MNT_UNBINDABLE(old_mnt))
2511 return ERR_PTR(-EINVAL);
2512
2513 /*
2514 * Make sure the source mount is acceptable.
2515 * Anything mounted in our mount namespace is allowed.
2516 * Otherwise, it must be the root of an anonymous mount
2517 * namespace, and we need to make sure no namespace
2518 * loops get created.
2519 */
2520 if (!check_mnt(old_mnt)) {
2521 if (!is_mounted(&old_mnt->mnt) ||
2522 !is_anon_ns(old_mnt->mnt_ns) ||
2523 mnt_has_parent(old_mnt))
2524 return ERR_PTR(-EINVAL);
2525
2526 if (!check_for_nsfs_mounts(old_mnt))
2527 return ERR_PTR(-EINVAL);
2528 }
2529
2530 if (!ns_capable(old_mnt->mnt_ns->user_ns, CAP_SYS_ADMIN))
2531 return ERR_PTR(-EPERM);
2532
2533 if (__has_locked_children(old_mnt, path->dentry))
2534 return ERR_PTR(-EINVAL);
2535
2536 new_mnt = clone_mnt(old_mnt, path->dentry, CL_PRIVATE);
2537 if (IS_ERR(new_mnt))
2538 return ERR_PTR(-EINVAL);
2539
2540 /* Longterm mount to be removed by kern_unmount*() */
2541 new_mnt->mnt_ns = MNT_NS_INTERNAL;
2542 return &new_mnt->mnt;
2543 }
2544 EXPORT_SYMBOL_GPL(clone_private_mount);
2545
lock_mnt_tree(struct mount * mnt)2546 static void lock_mnt_tree(struct mount *mnt)
2547 {
2548 struct mount *p;
2549
2550 for (p = mnt; p; p = next_mnt(p, mnt)) {
2551 int flags = p->mnt.mnt_flags;
2552 /* Don't allow unprivileged users to change mount flags */
2553 flags |= MNT_LOCK_ATIME;
2554
2555 if (flags & MNT_READONLY)
2556 flags |= MNT_LOCK_READONLY;
2557
2558 if (flags & MNT_NODEV)
2559 flags |= MNT_LOCK_NODEV;
2560
2561 if (flags & MNT_NOSUID)
2562 flags |= MNT_LOCK_NOSUID;
2563
2564 if (flags & MNT_NOEXEC)
2565 flags |= MNT_LOCK_NOEXEC;
2566 /* Don't allow unprivileged users to reveal what is under a mount */
2567 if (list_empty(&p->mnt_expire))
2568 flags |= MNT_LOCKED;
2569 p->mnt.mnt_flags = flags;
2570 }
2571 }
2572
cleanup_group_ids(struct mount * mnt,struct mount * end)2573 static void cleanup_group_ids(struct mount *mnt, struct mount *end)
2574 {
2575 struct mount *p;
2576
2577 for (p = mnt; p != end; p = next_mnt(p, mnt)) {
2578 if (p->mnt_group_id && !IS_MNT_SHARED(p))
2579 mnt_release_group_id(p);
2580 }
2581 }
2582
invent_group_ids(struct mount * mnt,bool recurse)2583 static int invent_group_ids(struct mount *mnt, bool recurse)
2584 {
2585 struct mount *p;
2586
2587 for (p = mnt; p; p = recurse ? next_mnt(p, mnt) : NULL) {
2588 if (!p->mnt_group_id && !IS_MNT_SHARED(p)) {
2589 int err = mnt_alloc_group_id(p);
2590 if (err) {
2591 cleanup_group_ids(mnt, p);
2592 return err;
2593 }
2594 }
2595 }
2596
2597 return 0;
2598 }
2599
count_mounts(struct mnt_namespace * ns,struct mount * mnt)2600 int count_mounts(struct mnt_namespace *ns, struct mount *mnt)
2601 {
2602 unsigned int max = READ_ONCE(sysctl_mount_max);
2603 unsigned int mounts = 0;
2604 struct mount *p;
2605
2606 if (ns->nr_mounts >= max)
2607 return -ENOSPC;
2608 max -= ns->nr_mounts;
2609 if (ns->pending_mounts >= max)
2610 return -ENOSPC;
2611 max -= ns->pending_mounts;
2612
2613 for (p = mnt; p; p = next_mnt(p, mnt))
2614 mounts++;
2615
2616 if (mounts > max)
2617 return -ENOSPC;
2618
2619 ns->pending_mounts += mounts;
2620 return 0;
2621 }
2622
2623 enum mnt_tree_flags_t {
2624 MNT_TREE_MOVE = BIT(0),
2625 MNT_TREE_BENEATH = BIT(1),
2626 MNT_TREE_PROPAGATION = BIT(2),
2627 };
2628
2629 /**
2630 * attach_recursive_mnt - attach a source mount tree
2631 * @source_mnt: mount tree to be attached
2632 * @top_mnt: mount that @source_mnt will be mounted on or mounted beneath
2633 * @dest_mp: the mountpoint @source_mnt will be mounted at
2634 * @flags: modify how @source_mnt is supposed to be attached
2635 *
2636 * NOTE: in the table below explains the semantics when a source mount
2637 * of a given type is attached to a destination mount of a given type.
2638 * ---------------------------------------------------------------------------
2639 * | BIND MOUNT OPERATION |
2640 * |**************************************************************************
2641 * | source-->| shared | private | slave | unbindable |
2642 * | dest | | | | |
2643 * | | | | | | |
2644 * | v | | | | |
2645 * |**************************************************************************
2646 * | shared | shared (++) | shared (+) | shared(+++)| invalid |
2647 * | | | | | |
2648 * |non-shared| shared (+) | private | slave (*) | invalid |
2649 * ***************************************************************************
2650 * A bind operation clones the source mount and mounts the clone on the
2651 * destination mount.
2652 *
2653 * (++) the cloned mount is propagated to all the mounts in the propagation
2654 * tree of the destination mount and the cloned mount is added to
2655 * the peer group of the source mount.
2656 * (+) the cloned mount is created under the destination mount and is marked
2657 * as shared. The cloned mount is added to the peer group of the source
2658 * mount.
2659 * (+++) the mount is propagated to all the mounts in the propagation tree
2660 * of the destination mount and the cloned mount is made slave
2661 * of the same master as that of the source mount. The cloned mount
2662 * is marked as 'shared and slave'.
2663 * (*) the cloned mount is made a slave of the same master as that of the
2664 * source mount.
2665 *
2666 * ---------------------------------------------------------------------------
2667 * | MOVE MOUNT OPERATION |
2668 * |**************************************************************************
2669 * | source-->| shared | private | slave | unbindable |
2670 * | dest | | | | |
2671 * | | | | | | |
2672 * | v | | | | |
2673 * |**************************************************************************
2674 * | shared | shared (+) | shared (+) | shared(+++) | invalid |
2675 * | | | | | |
2676 * |non-shared| shared (+*) | private | slave (*) | unbindable |
2677 * ***************************************************************************
2678 *
2679 * (+) the mount is moved to the destination. And is then propagated to
2680 * all the mounts in the propagation tree of the destination mount.
2681 * (+*) the mount is moved to the destination.
2682 * (+++) the mount is moved to the destination and is then propagated to
2683 * all the mounts belonging to the destination mount's propagation tree.
2684 * the mount is marked as 'shared and slave'.
2685 * (*) the mount continues to be a slave at the new location.
2686 *
2687 * if the source mount is a tree, the operations explained above is
2688 * applied to each mount in the tree.
2689 * Must be called without spinlocks held, since this function can sleep
2690 * in allocations.
2691 *
2692 * Context: The function expects namespace_lock() to be held.
2693 * Return: If @source_mnt was successfully attached 0 is returned.
2694 * Otherwise a negative error code is returned.
2695 */
attach_recursive_mnt(struct mount * source_mnt,struct mount * top_mnt,struct mountpoint * dest_mp,enum mnt_tree_flags_t flags)2696 static int attach_recursive_mnt(struct mount *source_mnt,
2697 struct mount *top_mnt,
2698 struct mountpoint *dest_mp,
2699 enum mnt_tree_flags_t flags)
2700 {
2701 struct user_namespace *user_ns = current->nsproxy->mnt_ns->user_ns;
2702 HLIST_HEAD(tree_list);
2703 struct mnt_namespace *ns = top_mnt->mnt_ns;
2704 struct mountpoint *smp;
2705 struct mount *child, *dest_mnt, *p;
2706 struct hlist_node *n;
2707 int err = 0;
2708 bool moving = flags & MNT_TREE_MOVE, beneath = flags & MNT_TREE_BENEATH;
2709
2710 /*
2711 * Preallocate a mountpoint in case the new mounts need to be
2712 * mounted beneath mounts on the same mountpoint.
2713 */
2714 smp = get_mountpoint(source_mnt->mnt.mnt_root);
2715 if (IS_ERR(smp))
2716 return PTR_ERR(smp);
2717
2718 /* Is there space to add these mounts to the mount namespace? */
2719 if (!moving) {
2720 err = count_mounts(ns, source_mnt);
2721 if (err)
2722 goto out;
2723 }
2724
2725 if (beneath)
2726 dest_mnt = top_mnt->mnt_parent;
2727 else
2728 dest_mnt = top_mnt;
2729
2730 if (IS_MNT_SHARED(dest_mnt)) {
2731 err = invent_group_ids(source_mnt, true);
2732 if (err)
2733 goto out;
2734 err = propagate_mnt(dest_mnt, dest_mp, source_mnt, &tree_list);
2735 }
2736 lock_mount_hash();
2737 if (err)
2738 goto out_cleanup_ids;
2739
2740 if (IS_MNT_SHARED(dest_mnt)) {
2741 for (p = source_mnt; p; p = next_mnt(p, source_mnt))
2742 set_mnt_shared(p);
2743 }
2744
2745 if (moving) {
2746 if (beneath)
2747 dest_mp = smp;
2748 unhash_mnt(source_mnt);
2749 attach_mnt(source_mnt, top_mnt, dest_mp, beneath);
2750 mnt_notify_add(source_mnt);
2751 touch_mnt_namespace(source_mnt->mnt_ns);
2752 } else {
2753 if (source_mnt->mnt_ns) {
2754 LIST_HEAD(head);
2755
2756 /* move from anon - the caller will destroy */
2757 for (p = source_mnt; p; p = next_mnt(p, source_mnt))
2758 move_from_ns(p, &head);
2759 list_del_init(&head);
2760 }
2761 if (beneath)
2762 mnt_set_mountpoint_beneath(source_mnt, top_mnt, smp);
2763 else
2764 mnt_set_mountpoint(dest_mnt, dest_mp, source_mnt);
2765 commit_tree(source_mnt);
2766 }
2767
2768 hlist_for_each_entry_safe(child, n, &tree_list, mnt_hash) {
2769 struct mount *q;
2770 hlist_del_init(&child->mnt_hash);
2771 /* Notice when we are propagating across user namespaces */
2772 if (child->mnt_parent->mnt_ns->user_ns != user_ns)
2773 lock_mnt_tree(child);
2774 child->mnt.mnt_flags &= ~MNT_LOCKED;
2775 q = __lookup_mnt(&child->mnt_parent->mnt,
2776 child->mnt_mountpoint);
2777 if (q)
2778 mnt_change_mountpoint(child, smp, q);
2779 commit_tree(child);
2780 }
2781 put_mountpoint(smp);
2782 unlock_mount_hash();
2783
2784 return 0;
2785
2786 out_cleanup_ids:
2787 while (!hlist_empty(&tree_list)) {
2788 child = hlist_entry(tree_list.first, struct mount, mnt_hash);
2789 child->mnt_parent->mnt_ns->pending_mounts = 0;
2790 umount_tree(child, UMOUNT_SYNC);
2791 }
2792 unlock_mount_hash();
2793 cleanup_group_ids(source_mnt, NULL);
2794 out:
2795 ns->pending_mounts = 0;
2796
2797 read_seqlock_excl(&mount_lock);
2798 put_mountpoint(smp);
2799 read_sequnlock_excl(&mount_lock);
2800
2801 return err;
2802 }
2803
2804 /**
2805 * do_lock_mount - lock mount and mountpoint
2806 * @path: target path
2807 * @beneath: whether the intention is to mount beneath @path
2808 *
2809 * Follow the mount stack on @path until the top mount @mnt is found. If
2810 * the initial @path->{mnt,dentry} is a mountpoint lookup the first
2811 * mount stacked on top of it. Then simply follow @{mnt,mnt->mnt_root}
2812 * until nothing is stacked on top of it anymore.
2813 *
2814 * Acquire the inode_lock() on the top mount's ->mnt_root to protect
2815 * against concurrent removal of the new mountpoint from another mount
2816 * namespace.
2817 *
2818 * If @beneath is requested, acquire inode_lock() on @mnt's mountpoint
2819 * @mp on @mnt->mnt_parent must be acquired. This protects against a
2820 * concurrent unlink of @mp->mnt_dentry from another mount namespace
2821 * where @mnt doesn't have a child mount mounted @mp. A concurrent
2822 * removal of @mnt->mnt_root doesn't matter as nothing will be mounted
2823 * on top of it for @beneath.
2824 *
2825 * In addition, @beneath needs to make sure that @mnt hasn't been
2826 * unmounted or moved from its current mountpoint in between dropping
2827 * @mount_lock and acquiring @namespace_sem. For the !@beneath case @mnt
2828 * being unmounted would be detected later by e.g., calling
2829 * check_mnt(mnt) in the function it's called from. For the @beneath
2830 * case however, it's useful to detect it directly in do_lock_mount().
2831 * If @mnt hasn't been unmounted then @mnt->mnt_mountpoint still points
2832 * to @mnt->mnt_mp->m_dentry. But if @mnt has been unmounted it will
2833 * point to @mnt->mnt_root and @mnt->mnt_mp will be NULL.
2834 *
2835 * Return: Either the target mountpoint on the top mount or the top
2836 * mount's mountpoint.
2837 */
do_lock_mount(struct path * path,bool beneath)2838 static struct mountpoint *do_lock_mount(struct path *path, bool beneath)
2839 {
2840 struct vfsmount *mnt = path->mnt;
2841 struct dentry *dentry;
2842 struct mountpoint *mp = ERR_PTR(-ENOENT);
2843 struct path under = {};
2844
2845 for (;;) {
2846 struct mount *m = real_mount(mnt);
2847
2848 if (beneath) {
2849 path_put(&under);
2850 read_seqlock_excl(&mount_lock);
2851 under.mnt = mntget(&m->mnt_parent->mnt);
2852 under.dentry = dget(m->mnt_mountpoint);
2853 read_sequnlock_excl(&mount_lock);
2854 dentry = under.dentry;
2855 } else {
2856 dentry = path->dentry;
2857 }
2858
2859 inode_lock(dentry->d_inode);
2860 namespace_lock();
2861
2862 if (unlikely(cant_mount(dentry) || !is_mounted(mnt)))
2863 break; // not to be mounted on
2864
2865 if (beneath && unlikely(m->mnt_mountpoint != dentry ||
2866 &m->mnt_parent->mnt != under.mnt)) {
2867 namespace_unlock();
2868 inode_unlock(dentry->d_inode);
2869 continue; // got moved
2870 }
2871
2872 mnt = lookup_mnt(path);
2873 if (unlikely(mnt)) {
2874 namespace_unlock();
2875 inode_unlock(dentry->d_inode);
2876 path_put(path);
2877 path->mnt = mnt;
2878 path->dentry = dget(mnt->mnt_root);
2879 continue; // got overmounted
2880 }
2881 mp = get_mountpoint(dentry);
2882 if (IS_ERR(mp))
2883 break;
2884 if (beneath) {
2885 /*
2886 * @under duplicates the references that will stay
2887 * at least until namespace_unlock(), so the path_put()
2888 * below is safe (and OK to do under namespace_lock -
2889 * we are not dropping the final references here).
2890 */
2891 path_put(&under);
2892 }
2893 return mp;
2894 }
2895 namespace_unlock();
2896 inode_unlock(dentry->d_inode);
2897 if (beneath)
2898 path_put(&under);
2899 return mp;
2900 }
2901
lock_mount(struct path * path)2902 static inline struct mountpoint *lock_mount(struct path *path)
2903 {
2904 return do_lock_mount(path, false);
2905 }
2906
unlock_mount(struct mountpoint * where)2907 static void unlock_mount(struct mountpoint *where)
2908 {
2909 inode_unlock(where->m_dentry->d_inode);
2910 read_seqlock_excl(&mount_lock);
2911 put_mountpoint(where);
2912 read_sequnlock_excl(&mount_lock);
2913 namespace_unlock();
2914 }
2915
graft_tree(struct mount * mnt,struct mount * p,struct mountpoint * mp)2916 static int graft_tree(struct mount *mnt, struct mount *p, struct mountpoint *mp)
2917 {
2918 if (mnt->mnt.mnt_sb->s_flags & SB_NOUSER)
2919 return -EINVAL;
2920
2921 if (d_is_dir(mp->m_dentry) !=
2922 d_is_dir(mnt->mnt.mnt_root))
2923 return -ENOTDIR;
2924
2925 return attach_recursive_mnt(mnt, p, mp, 0);
2926 }
2927
2928 /*
2929 * Sanity check the flags to change_mnt_propagation.
2930 */
2931
flags_to_propagation_type(int ms_flags)2932 static int flags_to_propagation_type(int ms_flags)
2933 {
2934 int type = ms_flags & ~(MS_REC | MS_SILENT);
2935
2936 /* Fail if any non-propagation flags are set */
2937 if (type & ~(MS_SHARED | MS_PRIVATE | MS_SLAVE | MS_UNBINDABLE))
2938 return 0;
2939 /* Only one propagation flag should be set */
2940 if (!is_power_of_2(type))
2941 return 0;
2942 return type;
2943 }
2944
2945 /*
2946 * recursively change the type of the mountpoint.
2947 */
do_change_type(struct path * path,int ms_flags)2948 static int do_change_type(struct path *path, int ms_flags)
2949 {
2950 struct mount *m;
2951 struct mount *mnt = real_mount(path->mnt);
2952 int recurse = ms_flags & MS_REC;
2953 int type;
2954 int err = 0;
2955
2956 if (!path_mounted(path))
2957 return -EINVAL;
2958
2959 type = flags_to_propagation_type(ms_flags);
2960 if (!type)
2961 return -EINVAL;
2962
2963 namespace_lock();
2964 if (!check_mnt(mnt)) {
2965 err = -EINVAL;
2966 goto out_unlock;
2967 }
2968 if (type == MS_SHARED) {
2969 err = invent_group_ids(mnt, recurse);
2970 if (err)
2971 goto out_unlock;
2972 }
2973
2974 lock_mount_hash();
2975 for (m = mnt; m; m = (recurse ? next_mnt(m, mnt) : NULL))
2976 change_mnt_propagation(m, type);
2977 unlock_mount_hash();
2978
2979 out_unlock:
2980 namespace_unlock();
2981 return err;
2982 }
2983
2984 /* may_copy_tree() - check if a mount tree can be copied
2985 * @path: path to the mount tree to be copied
2986 *
2987 * This helper checks if the caller may copy the mount tree starting
2988 * from @path->mnt. The caller may copy the mount tree under the
2989 * following circumstances:
2990 *
2991 * (1) The caller is located in the mount namespace of the mount tree.
2992 * This also implies that the mount does not belong to an anonymous
2993 * mount namespace.
2994 * (2) The caller tries to copy an nfs mount referring to a mount
2995 * namespace, i.e., the caller is trying to copy a mount namespace
2996 * entry from nsfs.
2997 * (3) The caller tries to copy a pidfs mount referring to a pidfd.
2998 * (4) The caller is trying to copy a mount tree that belongs to an
2999 * anonymous mount namespace.
3000 *
3001 * For that to be safe, this helper enforces that the origin mount
3002 * namespace the anonymous mount namespace was created from is the
3003 * same as the caller's mount namespace by comparing the sequence
3004 * numbers.
3005 *
3006 * This is not strictly necessary. The current semantics of the new
3007 * mount api enforce that the caller must be located in the same
3008 * mount namespace as the mount tree it interacts with. Using the
3009 * origin sequence number preserves these semantics even for
3010 * anonymous mount namespaces. However, one could envision extending
3011 * the api to directly operate across mount namespace if needed.
3012 *
3013 * The ownership of a non-anonymous mount namespace such as the
3014 * caller's cannot change.
3015 * => We know that the caller's mount namespace is stable.
3016 *
3017 * If the origin sequence number of the anonymous mount namespace is
3018 * the same as the sequence number of the caller's mount namespace.
3019 * => The owning namespaces are the same.
3020 *
3021 * ==> The earlier capability check on the owning namespace of the
3022 * caller's mount namespace ensures that the caller has the
3023 * ability to copy the mount tree.
3024 *
3025 * Returns true if the mount tree can be copied, false otherwise.
3026 */
may_copy_tree(struct path * path)3027 static inline bool may_copy_tree(struct path *path)
3028 {
3029 struct mount *mnt = real_mount(path->mnt);
3030 const struct dentry_operations *d_op;
3031
3032 if (check_mnt(mnt))
3033 return true;
3034
3035 d_op = path->dentry->d_op;
3036 if (d_op == &ns_dentry_operations)
3037 return true;
3038
3039 if (d_op == &pidfs_dentry_operations)
3040 return true;
3041
3042 if (!is_mounted(path->mnt))
3043 return false;
3044
3045 return check_anonymous_mnt(mnt);
3046 }
3047
3048
__do_loopback(struct path * old_path,int recurse)3049 static struct mount *__do_loopback(struct path *old_path, int recurse)
3050 {
3051 struct mount *mnt = ERR_PTR(-EINVAL), *old = real_mount(old_path->mnt);
3052
3053 if (IS_MNT_UNBINDABLE(old))
3054 return mnt;
3055
3056 if (!may_copy_tree(old_path))
3057 return mnt;
3058
3059 if (!recurse && __has_locked_children(old, old_path->dentry))
3060 return mnt;
3061
3062 if (recurse)
3063 mnt = copy_tree(old, old_path->dentry, CL_COPY_MNT_NS_FILE);
3064 else
3065 mnt = clone_mnt(old, old_path->dentry, 0);
3066
3067 if (!IS_ERR(mnt))
3068 mnt->mnt.mnt_flags &= ~MNT_LOCKED;
3069
3070 return mnt;
3071 }
3072
3073 /*
3074 * do loopback mount.
3075 */
do_loopback(struct path * path,const char * old_name,int recurse)3076 static int do_loopback(struct path *path, const char *old_name,
3077 int recurse)
3078 {
3079 struct path old_path;
3080 struct mount *mnt = NULL, *parent;
3081 struct mountpoint *mp;
3082 int err;
3083 if (!old_name || !*old_name)
3084 return -EINVAL;
3085 err = kern_path(old_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path);
3086 if (err)
3087 return err;
3088
3089 err = -EINVAL;
3090 if (mnt_ns_loop(old_path.dentry))
3091 goto out;
3092
3093 mp = lock_mount(path);
3094 if (IS_ERR(mp)) {
3095 err = PTR_ERR(mp);
3096 goto out;
3097 }
3098
3099 parent = real_mount(path->mnt);
3100 if (!check_mnt(parent))
3101 goto out2;
3102
3103 mnt = __do_loopback(&old_path, recurse);
3104 if (IS_ERR(mnt)) {
3105 err = PTR_ERR(mnt);
3106 goto out2;
3107 }
3108
3109 err = graft_tree(mnt, parent, mp);
3110 if (err) {
3111 lock_mount_hash();
3112 umount_tree(mnt, UMOUNT_SYNC);
3113 unlock_mount_hash();
3114 }
3115 out2:
3116 unlock_mount(mp);
3117 out:
3118 path_put(&old_path);
3119 return err;
3120 }
3121
open_detached_copy(struct path * path,bool recursive)3122 static struct file *open_detached_copy(struct path *path, bool recursive)
3123 {
3124 struct mnt_namespace *ns, *mnt_ns = current->nsproxy->mnt_ns, *src_mnt_ns;
3125 struct user_namespace *user_ns = mnt_ns->user_ns;
3126 struct mount *mnt, *p;
3127 struct file *file;
3128
3129 ns = alloc_mnt_ns(user_ns, true);
3130 if (IS_ERR(ns))
3131 return ERR_CAST(ns);
3132
3133 namespace_lock();
3134
3135 /*
3136 * Record the sequence number of the source mount namespace.
3137 * This needs to hold namespace_sem to ensure that the mount
3138 * doesn't get attached.
3139 */
3140 if (is_mounted(path->mnt)) {
3141 src_mnt_ns = real_mount(path->mnt)->mnt_ns;
3142 if (is_anon_ns(src_mnt_ns))
3143 ns->seq_origin = src_mnt_ns->seq_origin;
3144 else
3145 ns->seq_origin = src_mnt_ns->seq;
3146 }
3147
3148 mnt = __do_loopback(path, recursive);
3149 if (IS_ERR(mnt)) {
3150 namespace_unlock();
3151 free_mnt_ns(ns);
3152 return ERR_CAST(mnt);
3153 }
3154
3155 lock_mount_hash();
3156 for (p = mnt; p; p = next_mnt(p, mnt)) {
3157 mnt_add_to_ns(ns, p);
3158 ns->nr_mounts++;
3159 }
3160 ns->root = mnt;
3161 mntget(&mnt->mnt);
3162 unlock_mount_hash();
3163 namespace_unlock();
3164
3165 mntput(path->mnt);
3166 path->mnt = &mnt->mnt;
3167 file = dentry_open(path, O_PATH, current_cred());
3168 if (IS_ERR(file))
3169 dissolve_on_fput(path->mnt);
3170 else
3171 file->f_mode |= FMODE_NEED_UNMOUNT;
3172 return file;
3173 }
3174
vfs_open_tree(int dfd,const char __user * filename,unsigned int flags)3175 static struct file *vfs_open_tree(int dfd, const char __user *filename, unsigned int flags)
3176 {
3177 int ret;
3178 struct path path __free(path_put) = {};
3179 int lookup_flags = LOOKUP_AUTOMOUNT | LOOKUP_FOLLOW;
3180 bool detached = flags & OPEN_TREE_CLONE;
3181
3182 BUILD_BUG_ON(OPEN_TREE_CLOEXEC != O_CLOEXEC);
3183
3184 if (flags & ~(AT_EMPTY_PATH | AT_NO_AUTOMOUNT | AT_RECURSIVE |
3185 AT_SYMLINK_NOFOLLOW | OPEN_TREE_CLONE |
3186 OPEN_TREE_CLOEXEC))
3187 return ERR_PTR(-EINVAL);
3188
3189 if ((flags & (AT_RECURSIVE | OPEN_TREE_CLONE)) == AT_RECURSIVE)
3190 return ERR_PTR(-EINVAL);
3191
3192 if (flags & AT_NO_AUTOMOUNT)
3193 lookup_flags &= ~LOOKUP_AUTOMOUNT;
3194 if (flags & AT_SYMLINK_NOFOLLOW)
3195 lookup_flags &= ~LOOKUP_FOLLOW;
3196 if (flags & AT_EMPTY_PATH)
3197 lookup_flags |= LOOKUP_EMPTY;
3198
3199 if (detached && !may_mount())
3200 return ERR_PTR(-EPERM);
3201
3202 ret = user_path_at(dfd, filename, lookup_flags, &path);
3203 if (unlikely(ret))
3204 return ERR_PTR(ret);
3205
3206 if (detached)
3207 return open_detached_copy(&path, flags & AT_RECURSIVE);
3208
3209 return dentry_open(&path, O_PATH, current_cred());
3210 }
3211
SYSCALL_DEFINE3(open_tree,int,dfd,const char __user *,filename,unsigned,flags)3212 SYSCALL_DEFINE3(open_tree, int, dfd, const char __user *, filename, unsigned, flags)
3213 {
3214 int fd;
3215 struct file *file __free(fput) = NULL;
3216
3217 file = vfs_open_tree(dfd, filename, flags);
3218 if (IS_ERR(file))
3219 return PTR_ERR(file);
3220
3221 fd = get_unused_fd_flags(flags & O_CLOEXEC);
3222 if (fd < 0)
3223 return fd;
3224
3225 fd_install(fd, no_free_ptr(file));
3226 return fd;
3227 }
3228
3229 /*
3230 * Don't allow locked mount flags to be cleared.
3231 *
3232 * No locks need to be held here while testing the various MNT_LOCK
3233 * flags because those flags can never be cleared once they are set.
3234 */
can_change_locked_flags(struct mount * mnt,unsigned int mnt_flags)3235 static bool can_change_locked_flags(struct mount *mnt, unsigned int mnt_flags)
3236 {
3237 unsigned int fl = mnt->mnt.mnt_flags;
3238
3239 if ((fl & MNT_LOCK_READONLY) &&
3240 !(mnt_flags & MNT_READONLY))
3241 return false;
3242
3243 if ((fl & MNT_LOCK_NODEV) &&
3244 !(mnt_flags & MNT_NODEV))
3245 return false;
3246
3247 if ((fl & MNT_LOCK_NOSUID) &&
3248 !(mnt_flags & MNT_NOSUID))
3249 return false;
3250
3251 if ((fl & MNT_LOCK_NOEXEC) &&
3252 !(mnt_flags & MNT_NOEXEC))
3253 return false;
3254
3255 if ((fl & MNT_LOCK_ATIME) &&
3256 ((fl & MNT_ATIME_MASK) != (mnt_flags & MNT_ATIME_MASK)))
3257 return false;
3258
3259 return true;
3260 }
3261
change_mount_ro_state(struct mount * mnt,unsigned int mnt_flags)3262 static int change_mount_ro_state(struct mount *mnt, unsigned int mnt_flags)
3263 {
3264 bool readonly_request = (mnt_flags & MNT_READONLY);
3265
3266 if (readonly_request == __mnt_is_readonly(&mnt->mnt))
3267 return 0;
3268
3269 if (readonly_request)
3270 return mnt_make_readonly(mnt);
3271
3272 mnt->mnt.mnt_flags &= ~MNT_READONLY;
3273 return 0;
3274 }
3275
set_mount_attributes(struct mount * mnt,unsigned int mnt_flags)3276 static void set_mount_attributes(struct mount *mnt, unsigned int mnt_flags)
3277 {
3278 mnt_flags |= mnt->mnt.mnt_flags & ~MNT_USER_SETTABLE_MASK;
3279 mnt->mnt.mnt_flags = mnt_flags;
3280 touch_mnt_namespace(mnt->mnt_ns);
3281 }
3282
mnt_warn_timestamp_expiry(struct path * mountpoint,struct vfsmount * mnt)3283 static void mnt_warn_timestamp_expiry(struct path *mountpoint, struct vfsmount *mnt)
3284 {
3285 struct super_block *sb = mnt->mnt_sb;
3286
3287 if (!__mnt_is_readonly(mnt) &&
3288 (!(sb->s_iflags & SB_I_TS_EXPIRY_WARNED)) &&
3289 (ktime_get_real_seconds() + TIME_UPTIME_SEC_MAX > sb->s_time_max)) {
3290 char *buf, *mntpath;
3291
3292 buf = (char *)__get_free_page(GFP_KERNEL);
3293 if (buf)
3294 mntpath = d_path(mountpoint, buf, PAGE_SIZE);
3295 else
3296 mntpath = ERR_PTR(-ENOMEM);
3297 if (IS_ERR(mntpath))
3298 mntpath = "(unknown)";
3299
3300 pr_warn("%s filesystem being %s at %s supports timestamps until %ptTd (0x%llx)\n",
3301 sb->s_type->name,
3302 is_mounted(mnt) ? "remounted" : "mounted",
3303 mntpath, &sb->s_time_max,
3304 (unsigned long long)sb->s_time_max);
3305
3306 sb->s_iflags |= SB_I_TS_EXPIRY_WARNED;
3307 if (buf)
3308 free_page((unsigned long)buf);
3309 }
3310 }
3311
3312 /*
3313 * Handle reconfiguration of the mountpoint only without alteration of the
3314 * superblock it refers to. This is triggered by specifying MS_REMOUNT|MS_BIND
3315 * to mount(2).
3316 */
do_reconfigure_mnt(struct path * path,unsigned int mnt_flags)3317 static int do_reconfigure_mnt(struct path *path, unsigned int mnt_flags)
3318 {
3319 struct super_block *sb = path->mnt->mnt_sb;
3320 struct mount *mnt = real_mount(path->mnt);
3321 int ret;
3322
3323 if (!check_mnt(mnt))
3324 return -EINVAL;
3325
3326 if (!path_mounted(path))
3327 return -EINVAL;
3328
3329 if (!can_change_locked_flags(mnt, mnt_flags))
3330 return -EPERM;
3331
3332 /*
3333 * We're only checking whether the superblock is read-only not
3334 * changing it, so only take down_read(&sb->s_umount).
3335 */
3336 down_read(&sb->s_umount);
3337 lock_mount_hash();
3338 ret = change_mount_ro_state(mnt, mnt_flags);
3339 if (ret == 0)
3340 set_mount_attributes(mnt, mnt_flags);
3341 unlock_mount_hash();
3342 up_read(&sb->s_umount);
3343
3344 mnt_warn_timestamp_expiry(path, &mnt->mnt);
3345
3346 return ret;
3347 }
3348
3349 /*
3350 * change filesystem flags. dir should be a physical root of filesystem.
3351 * If you've mounted a non-root directory somewhere and want to do remount
3352 * on it - tough luck.
3353 */
do_remount(struct path * path,int ms_flags,int sb_flags,int mnt_flags,void * data)3354 static int do_remount(struct path *path, int ms_flags, int sb_flags,
3355 int mnt_flags, void *data)
3356 {
3357 int err;
3358 struct super_block *sb = path->mnt->mnt_sb;
3359 struct mount *mnt = real_mount(path->mnt);
3360 struct fs_context *fc;
3361
3362 if (!check_mnt(mnt))
3363 return -EINVAL;
3364
3365 if (!path_mounted(path))
3366 return -EINVAL;
3367
3368 if (!can_change_locked_flags(mnt, mnt_flags))
3369 return -EPERM;
3370
3371 fc = fs_context_for_reconfigure(path->dentry, sb_flags, MS_RMT_MASK);
3372 if (IS_ERR(fc))
3373 return PTR_ERR(fc);
3374
3375 /*
3376 * Indicate to the filesystem that the remount request is coming
3377 * from the legacy mount system call.
3378 */
3379 fc->oldapi = true;
3380
3381 err = parse_monolithic_mount_data(fc, data);
3382 if (!err) {
3383 down_write(&sb->s_umount);
3384 err = -EPERM;
3385 if (ns_capable(sb->s_user_ns, CAP_SYS_ADMIN)) {
3386 err = reconfigure_super(fc);
3387 if (!err) {
3388 lock_mount_hash();
3389 set_mount_attributes(mnt, mnt_flags);
3390 unlock_mount_hash();
3391 }
3392 }
3393 up_write(&sb->s_umount);
3394 }
3395
3396 mnt_warn_timestamp_expiry(path, &mnt->mnt);
3397
3398 put_fs_context(fc);
3399 return err;
3400 }
3401
tree_contains_unbindable(struct mount * mnt)3402 static inline int tree_contains_unbindable(struct mount *mnt)
3403 {
3404 struct mount *p;
3405 for (p = mnt; p; p = next_mnt(p, mnt)) {
3406 if (IS_MNT_UNBINDABLE(p))
3407 return 1;
3408 }
3409 return 0;
3410 }
3411
do_set_group(struct path * from_path,struct path * to_path)3412 static int do_set_group(struct path *from_path, struct path *to_path)
3413 {
3414 struct mount *from, *to;
3415 int err;
3416
3417 from = real_mount(from_path->mnt);
3418 to = real_mount(to_path->mnt);
3419
3420 namespace_lock();
3421
3422 err = -EINVAL;
3423 /* To and From must be mounted */
3424 if (!is_mounted(&from->mnt))
3425 goto out;
3426 if (!is_mounted(&to->mnt))
3427 goto out;
3428
3429 err = -EPERM;
3430 /* We should be allowed to modify mount namespaces of both mounts */
3431 if (!ns_capable(from->mnt_ns->user_ns, CAP_SYS_ADMIN))
3432 goto out;
3433 if (!ns_capable(to->mnt_ns->user_ns, CAP_SYS_ADMIN))
3434 goto out;
3435
3436 err = -EINVAL;
3437 /* To and From paths should be mount roots */
3438 if (!path_mounted(from_path))
3439 goto out;
3440 if (!path_mounted(to_path))
3441 goto out;
3442
3443 /* Setting sharing groups is only allowed across same superblock */
3444 if (from->mnt.mnt_sb != to->mnt.mnt_sb)
3445 goto out;
3446
3447 /* From mount root should be wider than To mount root */
3448 if (!is_subdir(to->mnt.mnt_root, from->mnt.mnt_root))
3449 goto out;
3450
3451 /* From mount should not have locked children in place of To's root */
3452 if (__has_locked_children(from, to->mnt.mnt_root))
3453 goto out;
3454
3455 /* Setting sharing groups is only allowed on private mounts */
3456 if (IS_MNT_SHARED(to) || IS_MNT_SLAVE(to))
3457 goto out;
3458
3459 /* From should not be private */
3460 if (!IS_MNT_SHARED(from) && !IS_MNT_SLAVE(from))
3461 goto out;
3462
3463 if (IS_MNT_SLAVE(from)) {
3464 struct mount *m = from->mnt_master;
3465
3466 list_add(&to->mnt_slave, &from->mnt_slave);
3467 to->mnt_master = m;
3468 }
3469
3470 if (IS_MNT_SHARED(from)) {
3471 to->mnt_group_id = from->mnt_group_id;
3472 list_add(&to->mnt_share, &from->mnt_share);
3473 lock_mount_hash();
3474 set_mnt_shared(to);
3475 unlock_mount_hash();
3476 }
3477
3478 err = 0;
3479 out:
3480 namespace_unlock();
3481 return err;
3482 }
3483
3484 /**
3485 * path_overmounted - check if path is overmounted
3486 * @path: path to check
3487 *
3488 * Check if path is overmounted, i.e., if there's a mount on top of
3489 * @path->mnt with @path->dentry as mountpoint.
3490 *
3491 * Context: namespace_sem must be held at least shared.
3492 * MUST NOT be called under lock_mount_hash() (there one should just
3493 * call __lookup_mnt() and check if it returns NULL).
3494 * Return: If path is overmounted true is returned, false if not.
3495 */
path_overmounted(const struct path * path)3496 static inline bool path_overmounted(const struct path *path)
3497 {
3498 unsigned seq = read_seqbegin(&mount_lock);
3499 bool no_child;
3500
3501 rcu_read_lock();
3502 no_child = !__lookup_mnt(path->mnt, path->dentry);
3503 rcu_read_unlock();
3504 if (need_seqretry(&mount_lock, seq)) {
3505 read_seqlock_excl(&mount_lock);
3506 no_child = !__lookup_mnt(path->mnt, path->dentry);
3507 read_sequnlock_excl(&mount_lock);
3508 }
3509 return unlikely(!no_child);
3510 }
3511
3512 /**
3513 * can_move_mount_beneath - check that we can mount beneath the top mount
3514 * @from: mount to mount beneath
3515 * @to: mount under which to mount
3516 * @mp: mountpoint of @to
3517 *
3518 * - Make sure that @to->dentry is actually the root of a mount under
3519 * which we can mount another mount.
3520 * - Make sure that nothing can be mounted beneath the caller's current
3521 * root or the rootfs of the namespace.
3522 * - Make sure that the caller can unmount the topmost mount ensuring
3523 * that the caller could reveal the underlying mountpoint.
3524 * - Ensure that nothing has been mounted on top of @from before we
3525 * grabbed @namespace_sem to avoid creating pointless shadow mounts.
3526 * - Prevent mounting beneath a mount if the propagation relationship
3527 * between the source mount, parent mount, and top mount would lead to
3528 * nonsensical mount trees.
3529 *
3530 * Context: This function expects namespace_lock() to be held.
3531 * Return: On success 0, and on error a negative error code is returned.
3532 */
can_move_mount_beneath(const struct path * from,const struct path * to,const struct mountpoint * mp)3533 static int can_move_mount_beneath(const struct path *from,
3534 const struct path *to,
3535 const struct mountpoint *mp)
3536 {
3537 struct mount *mnt_from = real_mount(from->mnt),
3538 *mnt_to = real_mount(to->mnt),
3539 *parent_mnt_to = mnt_to->mnt_parent;
3540
3541 if (!mnt_has_parent(mnt_to))
3542 return -EINVAL;
3543
3544 if (!path_mounted(to))
3545 return -EINVAL;
3546
3547 if (IS_MNT_LOCKED(mnt_to))
3548 return -EINVAL;
3549
3550 /* Avoid creating shadow mounts during mount propagation. */
3551 if (path_overmounted(from))
3552 return -EINVAL;
3553
3554 /*
3555 * Mounting beneath the rootfs only makes sense when the
3556 * semantics of pivot_root(".", ".") are used.
3557 */
3558 if (&mnt_to->mnt == current->fs->root.mnt)
3559 return -EINVAL;
3560 if (parent_mnt_to == current->nsproxy->mnt_ns->root)
3561 return -EINVAL;
3562
3563 for (struct mount *p = mnt_from; mnt_has_parent(p); p = p->mnt_parent)
3564 if (p == mnt_to)
3565 return -EINVAL;
3566
3567 /*
3568 * If the parent mount propagates to the child mount this would
3569 * mean mounting @mnt_from on @mnt_to->mnt_parent and then
3570 * propagating a copy @c of @mnt_from on top of @mnt_to. This
3571 * defeats the whole purpose of mounting beneath another mount.
3572 */
3573 if (propagation_would_overmount(parent_mnt_to, mnt_to, mp))
3574 return -EINVAL;
3575
3576 /*
3577 * If @mnt_to->mnt_parent propagates to @mnt_from this would
3578 * mean propagating a copy @c of @mnt_from on top of @mnt_from.
3579 * Afterwards @mnt_from would be mounted on top of
3580 * @mnt_to->mnt_parent and @mnt_to would be unmounted from
3581 * @mnt->mnt_parent and remounted on @mnt_from. But since @c is
3582 * already mounted on @mnt_from, @mnt_to would ultimately be
3583 * remounted on top of @c. Afterwards, @mnt_from would be
3584 * covered by a copy @c of @mnt_from and @c would be covered by
3585 * @mnt_from itself. This defeats the whole purpose of mounting
3586 * @mnt_from beneath @mnt_to.
3587 */
3588 if (check_mnt(mnt_from) &&
3589 propagation_would_overmount(parent_mnt_to, mnt_from, mp))
3590 return -EINVAL;
3591
3592 return 0;
3593 }
3594
3595 /* may_use_mount() - check if a mount tree can be used
3596 * @mnt: vfsmount to be used
3597 *
3598 * This helper checks if the caller may use the mount tree starting
3599 * from @path->mnt. The caller may use the mount tree under the
3600 * following circumstances:
3601 *
3602 * (1) The caller is located in the mount namespace of the mount tree.
3603 * This also implies that the mount does not belong to an anonymous
3604 * mount namespace.
3605 * (2) The caller is trying to use a mount tree that belongs to an
3606 * anonymous mount namespace.
3607 *
3608 * For that to be safe, this helper enforces that the origin mount
3609 * namespace the anonymous mount namespace was created from is the
3610 * same as the caller's mount namespace by comparing the sequence
3611 * numbers.
3612 *
3613 * The ownership of a non-anonymous mount namespace such as the
3614 * caller's cannot change.
3615 * => We know that the caller's mount namespace is stable.
3616 *
3617 * If the origin sequence number of the anonymous mount namespace is
3618 * the same as the sequence number of the caller's mount namespace.
3619 * => The owning namespaces are the same.
3620 *
3621 * ==> The earlier capability check on the owning namespace of the
3622 * caller's mount namespace ensures that the caller has the
3623 * ability to use the mount tree.
3624 *
3625 * Returns true if the mount tree can be used, false otherwise.
3626 */
may_use_mount(struct mount * mnt)3627 static inline bool may_use_mount(struct mount *mnt)
3628 {
3629 if (check_mnt(mnt))
3630 return true;
3631
3632 /*
3633 * Make sure that noone unmounted the target path or somehow
3634 * managed to get their hands on something purely kernel
3635 * internal.
3636 */
3637 if (!is_mounted(&mnt->mnt))
3638 return false;
3639
3640 return check_anonymous_mnt(mnt);
3641 }
3642
do_move_mount(struct path * old_path,struct path * new_path,enum mnt_tree_flags_t flags)3643 static int do_move_mount(struct path *old_path,
3644 struct path *new_path, enum mnt_tree_flags_t flags)
3645 {
3646 struct mnt_namespace *ns;
3647 struct mount *p;
3648 struct mount *old;
3649 struct mount *parent;
3650 struct mountpoint *mp, *old_mp;
3651 int err;
3652 bool attached, beneath = flags & MNT_TREE_BENEATH;
3653
3654 mp = do_lock_mount(new_path, beneath);
3655 if (IS_ERR(mp))
3656 return PTR_ERR(mp);
3657
3658 old = real_mount(old_path->mnt);
3659 p = real_mount(new_path->mnt);
3660 parent = old->mnt_parent;
3661 attached = mnt_has_parent(old);
3662 if (attached)
3663 flags |= MNT_TREE_MOVE;
3664 old_mp = old->mnt_mp;
3665 ns = old->mnt_ns;
3666
3667 err = -EINVAL;
3668 /* The thing moved must be mounted... */
3669 if (!is_mounted(&old->mnt))
3670 goto out;
3671
3672 if (check_mnt(old)) {
3673 /* if the source is in our namespace... */
3674 /* ... it should be detachable from parent */
3675 if (!mnt_has_parent(old) || IS_MNT_LOCKED(old))
3676 goto out;
3677 /* ... and the target should be in our namespace */
3678 if (!check_mnt(p))
3679 goto out;
3680 } else {
3681 /*
3682 * otherwise the source must be the root of some anon namespace.
3683 * AV: check for mount being root of an anon namespace is worth
3684 * an inlined predicate...
3685 */
3686 if (!is_anon_ns(ns) || mnt_has_parent(old))
3687 goto out;
3688 /*
3689 * Bail out early if the target is within the same namespace -
3690 * subsequent checks would've rejected that, but they lose
3691 * some corner cases if we check it early.
3692 */
3693 if (ns == p->mnt_ns)
3694 goto out;
3695 /*
3696 * Target should be either in our namespace or in an acceptable
3697 * anon namespace, sensu check_anonymous_mnt().
3698 */
3699 if (!may_use_mount(p))
3700 goto out;
3701 }
3702
3703 if (!path_mounted(old_path))
3704 goto out;
3705
3706 if (d_is_dir(new_path->dentry) !=
3707 d_is_dir(old_path->dentry))
3708 goto out;
3709 /*
3710 * Don't move a mount residing in a shared parent.
3711 */
3712 if (attached && IS_MNT_SHARED(parent))
3713 goto out;
3714
3715 if (beneath) {
3716 err = can_move_mount_beneath(old_path, new_path, mp);
3717 if (err)
3718 goto out;
3719
3720 err = -EINVAL;
3721 p = p->mnt_parent;
3722 flags |= MNT_TREE_BENEATH;
3723 }
3724
3725 /*
3726 * Don't move a mount tree containing unbindable mounts to a destination
3727 * mount which is shared.
3728 */
3729 if (IS_MNT_SHARED(p) && tree_contains_unbindable(old))
3730 goto out;
3731 err = -ELOOP;
3732 if (!check_for_nsfs_mounts(old))
3733 goto out;
3734 for (; mnt_has_parent(p); p = p->mnt_parent)
3735 if (p == old)
3736 goto out;
3737
3738 err = attach_recursive_mnt(old, real_mount(new_path->mnt), mp, flags);
3739 if (err)
3740 goto out;
3741
3742 /* if the mount is moved, it should no longer be expire
3743 * automatically */
3744 list_del_init(&old->mnt_expire);
3745 if (attached)
3746 put_mountpoint(old_mp);
3747 out:
3748 unlock_mount(mp);
3749 if (!err) {
3750 if (attached) {
3751 mntput_no_expire(parent);
3752 } else {
3753 /* Make sure we notice when we leak mounts. */
3754 VFS_WARN_ON_ONCE(!mnt_ns_empty(ns));
3755 free_mnt_ns(ns);
3756 }
3757 }
3758 return err;
3759 }
3760
do_move_mount_old(struct path * path,const char * old_name)3761 static int do_move_mount_old(struct path *path, const char *old_name)
3762 {
3763 struct path old_path;
3764 int err;
3765
3766 if (!old_name || !*old_name)
3767 return -EINVAL;
3768
3769 err = kern_path(old_name, LOOKUP_FOLLOW, &old_path);
3770 if (err)
3771 return err;
3772
3773 err = do_move_mount(&old_path, path, 0);
3774 path_put(&old_path);
3775 return err;
3776 }
3777
3778 /*
3779 * add a mount into a namespace's mount tree
3780 */
do_add_mount(struct mount * newmnt,struct mountpoint * mp,const struct path * path,int mnt_flags)3781 static int do_add_mount(struct mount *newmnt, struct mountpoint *mp,
3782 const struct path *path, int mnt_flags)
3783 {
3784 struct mount *parent = real_mount(path->mnt);
3785
3786 mnt_flags &= ~MNT_INTERNAL_FLAGS;
3787
3788 if (unlikely(!check_mnt(parent))) {
3789 /* that's acceptable only for automounts done in private ns */
3790 if (!(mnt_flags & MNT_SHRINKABLE))
3791 return -EINVAL;
3792 /* ... and for those we'd better have mountpoint still alive */
3793 if (!parent->mnt_ns)
3794 return -EINVAL;
3795 }
3796
3797 /* Refuse the same filesystem on the same mount point */
3798 if (path->mnt->mnt_sb == newmnt->mnt.mnt_sb && path_mounted(path))
3799 return -EBUSY;
3800
3801 if (d_is_symlink(newmnt->mnt.mnt_root))
3802 return -EINVAL;
3803
3804 newmnt->mnt.mnt_flags = mnt_flags;
3805 return graft_tree(newmnt, parent, mp);
3806 }
3807
3808 static bool mount_too_revealing(const struct super_block *sb, int *new_mnt_flags);
3809
3810 /*
3811 * Create a new mount using a superblock configuration and request it
3812 * be added to the namespace tree.
3813 */
do_new_mount_fc(struct fs_context * fc,struct path * mountpoint,unsigned int mnt_flags)3814 static int do_new_mount_fc(struct fs_context *fc, struct path *mountpoint,
3815 unsigned int mnt_flags)
3816 {
3817 struct vfsmount *mnt;
3818 struct mountpoint *mp;
3819 struct super_block *sb = fc->root->d_sb;
3820 int error;
3821
3822 error = security_sb_kern_mount(sb);
3823 if (!error && mount_too_revealing(sb, &mnt_flags))
3824 error = -EPERM;
3825
3826 if (unlikely(error)) {
3827 fc_drop_locked(fc);
3828 return error;
3829 }
3830
3831 up_write(&sb->s_umount);
3832
3833 mnt = vfs_create_mount(fc);
3834 if (IS_ERR(mnt))
3835 return PTR_ERR(mnt);
3836
3837 mnt_warn_timestamp_expiry(mountpoint, mnt);
3838
3839 mp = lock_mount(mountpoint);
3840 if (IS_ERR(mp)) {
3841 mntput(mnt);
3842 return PTR_ERR(mp);
3843 }
3844 error = do_add_mount(real_mount(mnt), mp, mountpoint, mnt_flags);
3845 unlock_mount(mp);
3846 if (error < 0)
3847 mntput(mnt);
3848 return error;
3849 }
3850
3851 /*
3852 * create a new mount for userspace and request it to be added into the
3853 * namespace's tree
3854 */
do_new_mount(struct path * path,const char * fstype,int sb_flags,int mnt_flags,const char * name,void * data)3855 static int do_new_mount(struct path *path, const char *fstype, int sb_flags,
3856 int mnt_flags, const char *name, void *data)
3857 {
3858 struct file_system_type *type;
3859 struct fs_context *fc;
3860 const char *subtype = NULL;
3861 int err = 0;
3862
3863 if (!fstype)
3864 return -EINVAL;
3865
3866 type = get_fs_type(fstype);
3867 if (!type)
3868 return -ENODEV;
3869
3870 if (type->fs_flags & FS_HAS_SUBTYPE) {
3871 subtype = strchr(fstype, '.');
3872 if (subtype) {
3873 subtype++;
3874 if (!*subtype) {
3875 put_filesystem(type);
3876 return -EINVAL;
3877 }
3878 }
3879 }
3880
3881 fc = fs_context_for_mount(type, sb_flags);
3882 put_filesystem(type);
3883 if (IS_ERR(fc))
3884 return PTR_ERR(fc);
3885
3886 /*
3887 * Indicate to the filesystem that the mount request is coming
3888 * from the legacy mount system call.
3889 */
3890 fc->oldapi = true;
3891
3892 if (subtype)
3893 err = vfs_parse_fs_string(fc, "subtype",
3894 subtype, strlen(subtype));
3895 if (!err && name)
3896 err = vfs_parse_fs_string(fc, "source", name, strlen(name));
3897 if (!err)
3898 err = parse_monolithic_mount_data(fc, data);
3899 if (!err && !mount_capable(fc))
3900 err = -EPERM;
3901 if (!err)
3902 err = vfs_get_tree(fc);
3903 if (!err)
3904 err = do_new_mount_fc(fc, path, mnt_flags);
3905
3906 put_fs_context(fc);
3907 return err;
3908 }
3909
finish_automount(struct vfsmount * m,const struct path * path)3910 int finish_automount(struct vfsmount *m, const struct path *path)
3911 {
3912 struct dentry *dentry = path->dentry;
3913 struct mountpoint *mp;
3914 struct mount *mnt;
3915 int err;
3916
3917 if (!m)
3918 return 0;
3919 if (IS_ERR(m))
3920 return PTR_ERR(m);
3921
3922 mnt = real_mount(m);
3923
3924 if (m->mnt_sb == path->mnt->mnt_sb &&
3925 m->mnt_root == dentry) {
3926 err = -ELOOP;
3927 goto discard;
3928 }
3929
3930 /*
3931 * we don't want to use lock_mount() - in this case finding something
3932 * that overmounts our mountpoint to be means "quitely drop what we've
3933 * got", not "try to mount it on top".
3934 */
3935 inode_lock(dentry->d_inode);
3936 namespace_lock();
3937 if (unlikely(cant_mount(dentry))) {
3938 err = -ENOENT;
3939 goto discard_locked;
3940 }
3941 if (path_overmounted(path)) {
3942 err = 0;
3943 goto discard_locked;
3944 }
3945 mp = get_mountpoint(dentry);
3946 if (IS_ERR(mp)) {
3947 err = PTR_ERR(mp);
3948 goto discard_locked;
3949 }
3950
3951 err = do_add_mount(mnt, mp, path, path->mnt->mnt_flags | MNT_SHRINKABLE);
3952 unlock_mount(mp);
3953 if (unlikely(err))
3954 goto discard;
3955 return 0;
3956
3957 discard_locked:
3958 namespace_unlock();
3959 inode_unlock(dentry->d_inode);
3960 discard:
3961 /* remove m from any expiration list it may be on */
3962 if (!list_empty(&mnt->mnt_expire)) {
3963 namespace_lock();
3964 list_del_init(&mnt->mnt_expire);
3965 namespace_unlock();
3966 }
3967 mntput(m);
3968 return err;
3969 }
3970
3971 /**
3972 * mnt_set_expiry - Put a mount on an expiration list
3973 * @mnt: The mount to list.
3974 * @expiry_list: The list to add the mount to.
3975 */
mnt_set_expiry(struct vfsmount * mnt,struct list_head * expiry_list)3976 void mnt_set_expiry(struct vfsmount *mnt, struct list_head *expiry_list)
3977 {
3978 namespace_lock();
3979
3980 list_add_tail(&real_mount(mnt)->mnt_expire, expiry_list);
3981
3982 namespace_unlock();
3983 }
3984 EXPORT_SYMBOL(mnt_set_expiry);
3985
3986 /*
3987 * process a list of expirable mountpoints with the intent of discarding any
3988 * mountpoints that aren't in use and haven't been touched since last we came
3989 * here
3990 */
mark_mounts_for_expiry(struct list_head * mounts)3991 void mark_mounts_for_expiry(struct list_head *mounts)
3992 {
3993 struct mount *mnt, *next;
3994 LIST_HEAD(graveyard);
3995
3996 if (list_empty(mounts))
3997 return;
3998
3999 namespace_lock();
4000 lock_mount_hash();
4001
4002 /* extract from the expiration list every vfsmount that matches the
4003 * following criteria:
4004 * - already mounted
4005 * - only referenced by its parent vfsmount
4006 * - still marked for expiry (marked on the last call here; marks are
4007 * cleared by mntput())
4008 */
4009 list_for_each_entry_safe(mnt, next, mounts, mnt_expire) {
4010 if (!is_mounted(&mnt->mnt))
4011 continue;
4012 if (!xchg(&mnt->mnt_expiry_mark, 1) ||
4013 propagate_mount_busy(mnt, 1))
4014 continue;
4015 list_move(&mnt->mnt_expire, &graveyard);
4016 }
4017 while (!list_empty(&graveyard)) {
4018 mnt = list_first_entry(&graveyard, struct mount, mnt_expire);
4019 touch_mnt_namespace(mnt->mnt_ns);
4020 umount_tree(mnt, UMOUNT_PROPAGATE|UMOUNT_SYNC);
4021 }
4022 unlock_mount_hash();
4023 namespace_unlock();
4024 }
4025
4026 EXPORT_SYMBOL_GPL(mark_mounts_for_expiry);
4027
4028 /*
4029 * Ripoff of 'select_parent()'
4030 *
4031 * search the list of submounts for a given mountpoint, and move any
4032 * shrinkable submounts to the 'graveyard' list.
4033 */
select_submounts(struct mount * parent,struct list_head * graveyard)4034 static int select_submounts(struct mount *parent, struct list_head *graveyard)
4035 {
4036 struct mount *this_parent = parent;
4037 struct list_head *next;
4038 int found = 0;
4039
4040 repeat:
4041 next = this_parent->mnt_mounts.next;
4042 resume:
4043 while (next != &this_parent->mnt_mounts) {
4044 struct list_head *tmp = next;
4045 struct mount *mnt = list_entry(tmp, struct mount, mnt_child);
4046
4047 next = tmp->next;
4048 if (!(mnt->mnt.mnt_flags & MNT_SHRINKABLE))
4049 continue;
4050 /*
4051 * Descend a level if the d_mounts list is non-empty.
4052 */
4053 if (!list_empty(&mnt->mnt_mounts)) {
4054 this_parent = mnt;
4055 goto repeat;
4056 }
4057
4058 if (!propagate_mount_busy(mnt, 1)) {
4059 list_move_tail(&mnt->mnt_expire, graveyard);
4060 found++;
4061 }
4062 }
4063 /*
4064 * All done at this level ... ascend and resume the search
4065 */
4066 if (this_parent != parent) {
4067 next = this_parent->mnt_child.next;
4068 this_parent = this_parent->mnt_parent;
4069 goto resume;
4070 }
4071 return found;
4072 }
4073
4074 /*
4075 * process a list of expirable mountpoints with the intent of discarding any
4076 * submounts of a specific parent mountpoint
4077 *
4078 * mount_lock must be held for write
4079 */
shrink_submounts(struct mount * mnt)4080 static void shrink_submounts(struct mount *mnt)
4081 {
4082 LIST_HEAD(graveyard);
4083 struct mount *m;
4084
4085 /* extract submounts of 'mountpoint' from the expiration list */
4086 while (select_submounts(mnt, &graveyard)) {
4087 while (!list_empty(&graveyard)) {
4088 m = list_first_entry(&graveyard, struct mount,
4089 mnt_expire);
4090 touch_mnt_namespace(m->mnt_ns);
4091 umount_tree(m, UMOUNT_PROPAGATE|UMOUNT_SYNC);
4092 }
4093 }
4094 }
4095
copy_mount_options(const void __user * data)4096 static void *copy_mount_options(const void __user * data)
4097 {
4098 char *copy;
4099 unsigned left, offset;
4100
4101 if (!data)
4102 return NULL;
4103
4104 copy = kmalloc(PAGE_SIZE, GFP_KERNEL);
4105 if (!copy)
4106 return ERR_PTR(-ENOMEM);
4107
4108 left = copy_from_user(copy, data, PAGE_SIZE);
4109
4110 /*
4111 * Not all architectures have an exact copy_from_user(). Resort to
4112 * byte at a time.
4113 */
4114 offset = PAGE_SIZE - left;
4115 while (left) {
4116 char c;
4117 if (get_user(c, (const char __user *)data + offset))
4118 break;
4119 copy[offset] = c;
4120 left--;
4121 offset++;
4122 }
4123
4124 if (left == PAGE_SIZE) {
4125 kfree(copy);
4126 return ERR_PTR(-EFAULT);
4127 }
4128
4129 return copy;
4130 }
4131
copy_mount_string(const void __user * data)4132 static char *copy_mount_string(const void __user *data)
4133 {
4134 return data ? strndup_user(data, PATH_MAX) : NULL;
4135 }
4136
4137 /*
4138 * Flags is a 32-bit value that allows up to 31 non-fs dependent flags to
4139 * be given to the mount() call (ie: read-only, no-dev, no-suid etc).
4140 *
4141 * data is a (void *) that can point to any structure up to
4142 * PAGE_SIZE-1 bytes, which can contain arbitrary fs-dependent
4143 * information (or be NULL).
4144 *
4145 * Pre-0.97 versions of mount() didn't have a flags word.
4146 * When the flags word was introduced its top half was required
4147 * to have the magic value 0xC0ED, and this remained so until 2.4.0-test9.
4148 * Therefore, if this magic number is present, it carries no information
4149 * and must be discarded.
4150 */
path_mount(const char * dev_name,struct path * path,const char * type_page,unsigned long flags,void * data_page)4151 int path_mount(const char *dev_name, struct path *path,
4152 const char *type_page, unsigned long flags, void *data_page)
4153 {
4154 unsigned int mnt_flags = 0, sb_flags;
4155 int ret;
4156
4157 /* Discard magic */
4158 if ((flags & MS_MGC_MSK) == MS_MGC_VAL)
4159 flags &= ~MS_MGC_MSK;
4160
4161 /* Basic sanity checks */
4162 if (data_page)
4163 ((char *)data_page)[PAGE_SIZE - 1] = 0;
4164
4165 if (flags & MS_NOUSER)
4166 return -EINVAL;
4167
4168 ret = security_sb_mount(dev_name, path, type_page, flags, data_page);
4169 if (ret)
4170 return ret;
4171 if (!may_mount())
4172 return -EPERM;
4173 if (flags & SB_MANDLOCK)
4174 warn_mandlock();
4175
4176 /* Default to relatime unless overriden */
4177 if (!(flags & MS_NOATIME))
4178 mnt_flags |= MNT_RELATIME;
4179
4180 /* Separate the per-mountpoint flags */
4181 if (flags & MS_NOSUID)
4182 mnt_flags |= MNT_NOSUID;
4183 if (flags & MS_NODEV)
4184 mnt_flags |= MNT_NODEV;
4185 if (flags & MS_NOEXEC)
4186 mnt_flags |= MNT_NOEXEC;
4187 if (flags & MS_NOATIME)
4188 mnt_flags |= MNT_NOATIME;
4189 if (flags & MS_NODIRATIME)
4190 mnt_flags |= MNT_NODIRATIME;
4191 if (flags & MS_STRICTATIME)
4192 mnt_flags &= ~(MNT_RELATIME | MNT_NOATIME);
4193 if (flags & MS_RDONLY)
4194 mnt_flags |= MNT_READONLY;
4195 if (flags & MS_NOSYMFOLLOW)
4196 mnt_flags |= MNT_NOSYMFOLLOW;
4197
4198 /* The default atime for remount is preservation */
4199 if ((flags & MS_REMOUNT) &&
4200 ((flags & (MS_NOATIME | MS_NODIRATIME | MS_RELATIME |
4201 MS_STRICTATIME)) == 0)) {
4202 mnt_flags &= ~MNT_ATIME_MASK;
4203 mnt_flags |= path->mnt->mnt_flags & MNT_ATIME_MASK;
4204 }
4205
4206 sb_flags = flags & (SB_RDONLY |
4207 SB_SYNCHRONOUS |
4208 SB_MANDLOCK |
4209 SB_DIRSYNC |
4210 SB_SILENT |
4211 SB_POSIXACL |
4212 SB_LAZYTIME |
4213 SB_I_VERSION);
4214
4215 if ((flags & (MS_REMOUNT | MS_BIND)) == (MS_REMOUNT | MS_BIND))
4216 return do_reconfigure_mnt(path, mnt_flags);
4217 if (flags & MS_REMOUNT)
4218 return do_remount(path, flags, sb_flags, mnt_flags, data_page);
4219 if (flags & MS_BIND)
4220 return do_loopback(path, dev_name, flags & MS_REC);
4221 if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE | MS_UNBINDABLE))
4222 return do_change_type(path, flags);
4223 if (flags & MS_MOVE)
4224 return do_move_mount_old(path, dev_name);
4225
4226 return do_new_mount(path, type_page, sb_flags, mnt_flags, dev_name,
4227 data_page);
4228 }
4229
do_mount(const char * dev_name,const char __user * dir_name,const char * type_page,unsigned long flags,void * data_page)4230 int do_mount(const char *dev_name, const char __user *dir_name,
4231 const char *type_page, unsigned long flags, void *data_page)
4232 {
4233 struct path path;
4234 int ret;
4235
4236 ret = user_path_at(AT_FDCWD, dir_name, LOOKUP_FOLLOW, &path);
4237 if (ret)
4238 return ret;
4239 ret = path_mount(dev_name, &path, type_page, flags, data_page);
4240 path_put(&path);
4241 return ret;
4242 }
4243
inc_mnt_namespaces(struct user_namespace * ns)4244 static struct ucounts *inc_mnt_namespaces(struct user_namespace *ns)
4245 {
4246 return inc_ucount(ns, current_euid(), UCOUNT_MNT_NAMESPACES);
4247 }
4248
dec_mnt_namespaces(struct ucounts * ucounts)4249 static void dec_mnt_namespaces(struct ucounts *ucounts)
4250 {
4251 dec_ucount(ucounts, UCOUNT_MNT_NAMESPACES);
4252 }
4253
free_mnt_ns(struct mnt_namespace * ns)4254 static void free_mnt_ns(struct mnt_namespace *ns)
4255 {
4256 if (!is_anon_ns(ns))
4257 ns_free_inum(&ns->ns);
4258 dec_mnt_namespaces(ns->ucounts);
4259 mnt_ns_tree_remove(ns);
4260 }
4261
4262 /*
4263 * Assign a sequence number so we can detect when we attempt to bind
4264 * mount a reference to an older mount namespace into the current
4265 * mount namespace, preventing reference counting loops. A 64bit
4266 * number incrementing at 10Ghz will take 12,427 years to wrap which
4267 * is effectively never, so we can ignore the possibility.
4268 */
4269 static atomic64_t mnt_ns_seq = ATOMIC64_INIT(1);
4270
alloc_mnt_ns(struct user_namespace * user_ns,bool anon)4271 static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns, bool anon)
4272 {
4273 struct mnt_namespace *new_ns;
4274 struct ucounts *ucounts;
4275 int ret;
4276
4277 ucounts = inc_mnt_namespaces(user_ns);
4278 if (!ucounts)
4279 return ERR_PTR(-ENOSPC);
4280
4281 new_ns = kzalloc(sizeof(struct mnt_namespace), GFP_KERNEL_ACCOUNT);
4282 if (!new_ns) {
4283 dec_mnt_namespaces(ucounts);
4284 return ERR_PTR(-ENOMEM);
4285 }
4286 if (!anon) {
4287 ret = ns_alloc_inum(&new_ns->ns);
4288 if (ret) {
4289 kfree(new_ns);
4290 dec_mnt_namespaces(ucounts);
4291 return ERR_PTR(ret);
4292 }
4293 }
4294 new_ns->ns.ops = &mntns_operations;
4295 if (!anon)
4296 new_ns->seq = atomic64_inc_return(&mnt_ns_seq);
4297 refcount_set(&new_ns->ns.count, 1);
4298 refcount_set(&new_ns->passive, 1);
4299 new_ns->mounts = RB_ROOT;
4300 INIT_LIST_HEAD(&new_ns->mnt_ns_list);
4301 RB_CLEAR_NODE(&new_ns->mnt_ns_tree_node);
4302 init_waitqueue_head(&new_ns->poll);
4303 new_ns->user_ns = get_user_ns(user_ns);
4304 new_ns->ucounts = ucounts;
4305 return new_ns;
4306 }
4307
4308 __latent_entropy
copy_mnt_ns(unsigned long flags,struct mnt_namespace * ns,struct user_namespace * user_ns,struct fs_struct * new_fs)4309 struct mnt_namespace *copy_mnt_ns(unsigned long flags, struct mnt_namespace *ns,
4310 struct user_namespace *user_ns, struct fs_struct *new_fs)
4311 {
4312 struct mnt_namespace *new_ns;
4313 struct vfsmount *rootmnt = NULL, *pwdmnt = NULL;
4314 struct mount *p, *q;
4315 struct mount *old;
4316 struct mount *new;
4317 int copy_flags;
4318
4319 BUG_ON(!ns);
4320
4321 if (likely(!(flags & CLONE_NEWNS))) {
4322 get_mnt_ns(ns);
4323 return ns;
4324 }
4325
4326 old = ns->root;
4327
4328 new_ns = alloc_mnt_ns(user_ns, false);
4329 if (IS_ERR(new_ns))
4330 return new_ns;
4331
4332 namespace_lock();
4333 /* First pass: copy the tree topology */
4334 copy_flags = CL_COPY_UNBINDABLE | CL_EXPIRE;
4335 if (user_ns != ns->user_ns)
4336 copy_flags |= CL_SHARED_TO_SLAVE;
4337 new = copy_tree(old, old->mnt.mnt_root, copy_flags);
4338 if (IS_ERR(new)) {
4339 namespace_unlock();
4340 ns_free_inum(&new_ns->ns);
4341 dec_mnt_namespaces(new_ns->ucounts);
4342 mnt_ns_release(new_ns);
4343 return ERR_CAST(new);
4344 }
4345 if (user_ns != ns->user_ns) {
4346 lock_mount_hash();
4347 lock_mnt_tree(new);
4348 unlock_mount_hash();
4349 }
4350 new_ns->root = new;
4351
4352 /*
4353 * Second pass: switch the tsk->fs->* elements and mark new vfsmounts
4354 * as belonging to new namespace. We have already acquired a private
4355 * fs_struct, so tsk->fs->lock is not needed.
4356 */
4357 p = old;
4358 q = new;
4359 while (p) {
4360 mnt_add_to_ns(new_ns, q);
4361 new_ns->nr_mounts++;
4362 if (new_fs) {
4363 if (&p->mnt == new_fs->root.mnt) {
4364 new_fs->root.mnt = mntget(&q->mnt);
4365 rootmnt = &p->mnt;
4366 }
4367 if (&p->mnt == new_fs->pwd.mnt) {
4368 new_fs->pwd.mnt = mntget(&q->mnt);
4369 pwdmnt = &p->mnt;
4370 }
4371 }
4372 p = next_mnt(p, old);
4373 q = next_mnt(q, new);
4374 if (!q)
4375 break;
4376 // an mntns binding we'd skipped?
4377 while (p->mnt.mnt_root != q->mnt.mnt_root)
4378 p = next_mnt(skip_mnt_tree(p), old);
4379 }
4380 namespace_unlock();
4381
4382 if (rootmnt)
4383 mntput(rootmnt);
4384 if (pwdmnt)
4385 mntput(pwdmnt);
4386
4387 mnt_ns_tree_add(new_ns);
4388 return new_ns;
4389 }
4390
mount_subtree(struct vfsmount * m,const char * name)4391 struct dentry *mount_subtree(struct vfsmount *m, const char *name)
4392 {
4393 struct mount *mnt = real_mount(m);
4394 struct mnt_namespace *ns;
4395 struct super_block *s;
4396 struct path path;
4397 int err;
4398
4399 ns = alloc_mnt_ns(&init_user_ns, true);
4400 if (IS_ERR(ns)) {
4401 mntput(m);
4402 return ERR_CAST(ns);
4403 }
4404 ns->root = mnt;
4405 ns->nr_mounts++;
4406 mnt_add_to_ns(ns, mnt);
4407
4408 err = vfs_path_lookup(m->mnt_root, m,
4409 name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &path);
4410
4411 put_mnt_ns(ns);
4412
4413 if (err)
4414 return ERR_PTR(err);
4415
4416 /* trade a vfsmount reference for active sb one */
4417 s = path.mnt->mnt_sb;
4418 atomic_inc(&s->s_active);
4419 mntput(path.mnt);
4420 /* lock the sucker */
4421 down_write(&s->s_umount);
4422 /* ... and return the root of (sub)tree on it */
4423 return path.dentry;
4424 }
4425 EXPORT_SYMBOL(mount_subtree);
4426
SYSCALL_DEFINE5(mount,char __user *,dev_name,char __user *,dir_name,char __user *,type,unsigned long,flags,void __user *,data)4427 SYSCALL_DEFINE5(mount, char __user *, dev_name, char __user *, dir_name,
4428 char __user *, type, unsigned long, flags, void __user *, data)
4429 {
4430 int ret;
4431 char *kernel_type;
4432 char *kernel_dev;
4433 void *options;
4434
4435 kernel_type = copy_mount_string(type);
4436 ret = PTR_ERR(kernel_type);
4437 if (IS_ERR(kernel_type))
4438 goto out_type;
4439
4440 kernel_dev = copy_mount_string(dev_name);
4441 ret = PTR_ERR(kernel_dev);
4442 if (IS_ERR(kernel_dev))
4443 goto out_dev;
4444
4445 options = copy_mount_options(data);
4446 ret = PTR_ERR(options);
4447 if (IS_ERR(options))
4448 goto out_data;
4449
4450 ret = do_mount(kernel_dev, dir_name, kernel_type, flags, options);
4451
4452 kfree(options);
4453 out_data:
4454 kfree(kernel_dev);
4455 out_dev:
4456 kfree(kernel_type);
4457 out_type:
4458 return ret;
4459 }
4460
4461 #define FSMOUNT_VALID_FLAGS \
4462 (MOUNT_ATTR_RDONLY | MOUNT_ATTR_NOSUID | MOUNT_ATTR_NODEV | \
4463 MOUNT_ATTR_NOEXEC | MOUNT_ATTR__ATIME | MOUNT_ATTR_NODIRATIME | \
4464 MOUNT_ATTR_NOSYMFOLLOW)
4465
4466 #define MOUNT_SETATTR_VALID_FLAGS (FSMOUNT_VALID_FLAGS | MOUNT_ATTR_IDMAP)
4467
4468 #define MOUNT_SETATTR_PROPAGATION_FLAGS \
4469 (MS_UNBINDABLE | MS_PRIVATE | MS_SLAVE | MS_SHARED)
4470
attr_flags_to_mnt_flags(u64 attr_flags)4471 static unsigned int attr_flags_to_mnt_flags(u64 attr_flags)
4472 {
4473 unsigned int mnt_flags = 0;
4474
4475 if (attr_flags & MOUNT_ATTR_RDONLY)
4476 mnt_flags |= MNT_READONLY;
4477 if (attr_flags & MOUNT_ATTR_NOSUID)
4478 mnt_flags |= MNT_NOSUID;
4479 if (attr_flags & MOUNT_ATTR_NODEV)
4480 mnt_flags |= MNT_NODEV;
4481 if (attr_flags & MOUNT_ATTR_NOEXEC)
4482 mnt_flags |= MNT_NOEXEC;
4483 if (attr_flags & MOUNT_ATTR_NODIRATIME)
4484 mnt_flags |= MNT_NODIRATIME;
4485 if (attr_flags & MOUNT_ATTR_NOSYMFOLLOW)
4486 mnt_flags |= MNT_NOSYMFOLLOW;
4487
4488 return mnt_flags;
4489 }
4490
4491 /*
4492 * Create a kernel mount representation for a new, prepared superblock
4493 * (specified by fs_fd) and attach to an open_tree-like file descriptor.
4494 */
SYSCALL_DEFINE3(fsmount,int,fs_fd,unsigned int,flags,unsigned int,attr_flags)4495 SYSCALL_DEFINE3(fsmount, int, fs_fd, unsigned int, flags,
4496 unsigned int, attr_flags)
4497 {
4498 struct mnt_namespace *ns;
4499 struct fs_context *fc;
4500 struct file *file;
4501 struct path newmount;
4502 struct mount *mnt;
4503 unsigned int mnt_flags = 0;
4504 long ret;
4505
4506 if (!may_mount())
4507 return -EPERM;
4508
4509 if ((flags & ~(FSMOUNT_CLOEXEC)) != 0)
4510 return -EINVAL;
4511
4512 if (attr_flags & ~FSMOUNT_VALID_FLAGS)
4513 return -EINVAL;
4514
4515 mnt_flags = attr_flags_to_mnt_flags(attr_flags);
4516
4517 switch (attr_flags & MOUNT_ATTR__ATIME) {
4518 case MOUNT_ATTR_STRICTATIME:
4519 break;
4520 case MOUNT_ATTR_NOATIME:
4521 mnt_flags |= MNT_NOATIME;
4522 break;
4523 case MOUNT_ATTR_RELATIME:
4524 mnt_flags |= MNT_RELATIME;
4525 break;
4526 default:
4527 return -EINVAL;
4528 }
4529
4530 CLASS(fd, f)(fs_fd);
4531 if (fd_empty(f))
4532 return -EBADF;
4533
4534 if (fd_file(f)->f_op != &fscontext_fops)
4535 return -EINVAL;
4536
4537 fc = fd_file(f)->private_data;
4538
4539 ret = mutex_lock_interruptible(&fc->uapi_mutex);
4540 if (ret < 0)
4541 return ret;
4542
4543 /* There must be a valid superblock or we can't mount it */
4544 ret = -EINVAL;
4545 if (!fc->root)
4546 goto err_unlock;
4547
4548 ret = -EPERM;
4549 if (mount_too_revealing(fc->root->d_sb, &mnt_flags)) {
4550 pr_warn("VFS: Mount too revealing\n");
4551 goto err_unlock;
4552 }
4553
4554 ret = -EBUSY;
4555 if (fc->phase != FS_CONTEXT_AWAITING_MOUNT)
4556 goto err_unlock;
4557
4558 if (fc->sb_flags & SB_MANDLOCK)
4559 warn_mandlock();
4560
4561 newmount.mnt = vfs_create_mount(fc);
4562 if (IS_ERR(newmount.mnt)) {
4563 ret = PTR_ERR(newmount.mnt);
4564 goto err_unlock;
4565 }
4566 newmount.dentry = dget(fc->root);
4567 newmount.mnt->mnt_flags = mnt_flags;
4568
4569 /* We've done the mount bit - now move the file context into more or
4570 * less the same state as if we'd done an fspick(). We don't want to
4571 * do any memory allocation or anything like that at this point as we
4572 * don't want to have to handle any errors incurred.
4573 */
4574 vfs_clean_context(fc);
4575
4576 ns = alloc_mnt_ns(current->nsproxy->mnt_ns->user_ns, true);
4577 if (IS_ERR(ns)) {
4578 ret = PTR_ERR(ns);
4579 goto err_path;
4580 }
4581 mnt = real_mount(newmount.mnt);
4582 ns->root = mnt;
4583 ns->nr_mounts = 1;
4584 mnt_add_to_ns(ns, mnt);
4585 mntget(newmount.mnt);
4586
4587 /* Attach to an apparent O_PATH fd with a note that we need to unmount
4588 * it, not just simply put it.
4589 */
4590 file = dentry_open(&newmount, O_PATH, fc->cred);
4591 if (IS_ERR(file)) {
4592 dissolve_on_fput(newmount.mnt);
4593 ret = PTR_ERR(file);
4594 goto err_path;
4595 }
4596 file->f_mode |= FMODE_NEED_UNMOUNT;
4597
4598 ret = get_unused_fd_flags((flags & FSMOUNT_CLOEXEC) ? O_CLOEXEC : 0);
4599 if (ret >= 0)
4600 fd_install(ret, file);
4601 else
4602 fput(file);
4603
4604 err_path:
4605 path_put(&newmount);
4606 err_unlock:
4607 mutex_unlock(&fc->uapi_mutex);
4608 return ret;
4609 }
4610
vfs_move_mount(struct path * from_path,struct path * to_path,enum mnt_tree_flags_t mflags)4611 static inline int vfs_move_mount(struct path *from_path, struct path *to_path,
4612 enum mnt_tree_flags_t mflags)
4613 {
4614 int ret;
4615
4616 ret = security_move_mount(from_path, to_path);
4617 if (ret)
4618 return ret;
4619
4620 if (mflags & MNT_TREE_PROPAGATION)
4621 return do_set_group(from_path, to_path);
4622
4623 return do_move_mount(from_path, to_path, mflags);
4624 }
4625
4626 /*
4627 * Move a mount from one place to another. In combination with
4628 * fsopen()/fsmount() this is used to install a new mount and in combination
4629 * with open_tree(OPEN_TREE_CLONE [| AT_RECURSIVE]) it can be used to copy
4630 * a mount subtree.
4631 *
4632 * Note the flags value is a combination of MOVE_MOUNT_* flags.
4633 */
SYSCALL_DEFINE5(move_mount,int,from_dfd,const char __user *,from_pathname,int,to_dfd,const char __user *,to_pathname,unsigned int,flags)4634 SYSCALL_DEFINE5(move_mount,
4635 int, from_dfd, const char __user *, from_pathname,
4636 int, to_dfd, const char __user *, to_pathname,
4637 unsigned int, flags)
4638 {
4639 struct path to_path __free(path_put) = {};
4640 struct path from_path __free(path_put) = {};
4641 struct filename *to_name __free(putname) = NULL;
4642 struct filename *from_name __free(putname) = NULL;
4643 unsigned int lflags, uflags;
4644 enum mnt_tree_flags_t mflags = 0;
4645 int ret = 0;
4646
4647 if (!may_mount())
4648 return -EPERM;
4649
4650 if (flags & ~MOVE_MOUNT__MASK)
4651 return -EINVAL;
4652
4653 if ((flags & (MOVE_MOUNT_BENEATH | MOVE_MOUNT_SET_GROUP)) ==
4654 (MOVE_MOUNT_BENEATH | MOVE_MOUNT_SET_GROUP))
4655 return -EINVAL;
4656
4657 if (flags & MOVE_MOUNT_SET_GROUP) mflags |= MNT_TREE_PROPAGATION;
4658 if (flags & MOVE_MOUNT_BENEATH) mflags |= MNT_TREE_BENEATH;
4659
4660 lflags = 0;
4661 if (flags & MOVE_MOUNT_F_SYMLINKS) lflags |= LOOKUP_FOLLOW;
4662 if (flags & MOVE_MOUNT_F_AUTOMOUNTS) lflags |= LOOKUP_AUTOMOUNT;
4663 uflags = 0;
4664 if (flags & MOVE_MOUNT_F_EMPTY_PATH) uflags = AT_EMPTY_PATH;
4665 from_name = getname_maybe_null(from_pathname, uflags);
4666 if (IS_ERR(from_name))
4667 return PTR_ERR(from_name);
4668
4669 lflags = 0;
4670 if (flags & MOVE_MOUNT_T_SYMLINKS) lflags |= LOOKUP_FOLLOW;
4671 if (flags & MOVE_MOUNT_T_AUTOMOUNTS) lflags |= LOOKUP_AUTOMOUNT;
4672 uflags = 0;
4673 if (flags & MOVE_MOUNT_T_EMPTY_PATH) uflags = AT_EMPTY_PATH;
4674 to_name = getname_maybe_null(to_pathname, uflags);
4675 if (IS_ERR(to_name))
4676 return PTR_ERR(to_name);
4677
4678 if (!to_name && to_dfd >= 0) {
4679 CLASS(fd_raw, f_to)(to_dfd);
4680 if (fd_empty(f_to))
4681 return -EBADF;
4682
4683 to_path = fd_file(f_to)->f_path;
4684 path_get(&to_path);
4685 } else {
4686 ret = filename_lookup(to_dfd, to_name, lflags, &to_path, NULL);
4687 if (ret)
4688 return ret;
4689 }
4690
4691 if (!from_name && from_dfd >= 0) {
4692 CLASS(fd_raw, f_from)(from_dfd);
4693 if (fd_empty(f_from))
4694 return -EBADF;
4695
4696 return vfs_move_mount(&fd_file(f_from)->f_path, &to_path, mflags);
4697 }
4698
4699 ret = filename_lookup(from_dfd, from_name, lflags, &from_path, NULL);
4700 if (ret)
4701 return ret;
4702
4703 return vfs_move_mount(&from_path, &to_path, mflags);
4704 }
4705
4706 /*
4707 * Return true if path is reachable from root
4708 *
4709 * namespace_sem or mount_lock is held
4710 */
is_path_reachable(struct mount * mnt,struct dentry * dentry,const struct path * root)4711 bool is_path_reachable(struct mount *mnt, struct dentry *dentry,
4712 const struct path *root)
4713 {
4714 while (&mnt->mnt != root->mnt && mnt_has_parent(mnt)) {
4715 dentry = mnt->mnt_mountpoint;
4716 mnt = mnt->mnt_parent;
4717 }
4718 return &mnt->mnt == root->mnt && is_subdir(dentry, root->dentry);
4719 }
4720
path_is_under(const struct path * path1,const struct path * path2)4721 bool path_is_under(const struct path *path1, const struct path *path2)
4722 {
4723 bool res;
4724 read_seqlock_excl(&mount_lock);
4725 res = is_path_reachable(real_mount(path1->mnt), path1->dentry, path2);
4726 read_sequnlock_excl(&mount_lock);
4727 return res;
4728 }
4729 EXPORT_SYMBOL(path_is_under);
4730
4731 /*
4732 * pivot_root Semantics:
4733 * Moves the root file system of the current process to the directory put_old,
4734 * makes new_root as the new root file system of the current process, and sets
4735 * root/cwd of all processes which had them on the current root to new_root.
4736 *
4737 * Restrictions:
4738 * The new_root and put_old must be directories, and must not be on the
4739 * same file system as the current process root. The put_old must be
4740 * underneath new_root, i.e. adding a non-zero number of /.. to the string
4741 * pointed to by put_old must yield the same directory as new_root. No other
4742 * file system may be mounted on put_old. After all, new_root is a mountpoint.
4743 *
4744 * Also, the current root cannot be on the 'rootfs' (initial ramfs) filesystem.
4745 * See Documentation/filesystems/ramfs-rootfs-initramfs.rst for alternatives
4746 * in this situation.
4747 *
4748 * Notes:
4749 * - we don't move root/cwd if they are not at the root (reason: if something
4750 * cared enough to change them, it's probably wrong to force them elsewhere)
4751 * - it's okay to pick a root that isn't the root of a file system, e.g.
4752 * /nfs/my_root where /nfs is the mount point. It must be a mountpoint,
4753 * though, so you may need to say mount --bind /nfs/my_root /nfs/my_root
4754 * first.
4755 */
SYSCALL_DEFINE2(pivot_root,const char __user *,new_root,const char __user *,put_old)4756 SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
4757 const char __user *, put_old)
4758 {
4759 struct path new, old, root;
4760 struct mount *new_mnt, *root_mnt, *old_mnt, *root_parent, *ex_parent;
4761 struct mountpoint *old_mp, *root_mp;
4762 int error;
4763
4764 if (!may_mount())
4765 return -EPERM;
4766
4767 error = user_path_at(AT_FDCWD, new_root,
4768 LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &new);
4769 if (error)
4770 goto out0;
4771
4772 error = user_path_at(AT_FDCWD, put_old,
4773 LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &old);
4774 if (error)
4775 goto out1;
4776
4777 error = security_sb_pivotroot(&old, &new);
4778 if (error)
4779 goto out2;
4780
4781 get_fs_root(current->fs, &root);
4782 old_mp = lock_mount(&old);
4783 error = PTR_ERR(old_mp);
4784 if (IS_ERR(old_mp))
4785 goto out3;
4786
4787 error = -EINVAL;
4788 new_mnt = real_mount(new.mnt);
4789 root_mnt = real_mount(root.mnt);
4790 old_mnt = real_mount(old.mnt);
4791 ex_parent = new_mnt->mnt_parent;
4792 root_parent = root_mnt->mnt_parent;
4793 if (IS_MNT_SHARED(old_mnt) ||
4794 IS_MNT_SHARED(ex_parent) ||
4795 IS_MNT_SHARED(root_parent))
4796 goto out4;
4797 if (!check_mnt(root_mnt) || !check_mnt(new_mnt))
4798 goto out4;
4799 if (new_mnt->mnt.mnt_flags & MNT_LOCKED)
4800 goto out4;
4801 error = -ENOENT;
4802 if (d_unlinked(new.dentry))
4803 goto out4;
4804 error = -EBUSY;
4805 if (new_mnt == root_mnt || old_mnt == root_mnt)
4806 goto out4; /* loop, on the same file system */
4807 error = -EINVAL;
4808 if (!path_mounted(&root))
4809 goto out4; /* not a mountpoint */
4810 if (!mnt_has_parent(root_mnt))
4811 goto out4; /* not attached */
4812 if (!path_mounted(&new))
4813 goto out4; /* not a mountpoint */
4814 if (!mnt_has_parent(new_mnt))
4815 goto out4; /* not attached */
4816 /* make sure we can reach put_old from new_root */
4817 if (!is_path_reachable(old_mnt, old.dentry, &new))
4818 goto out4;
4819 /* make certain new is below the root */
4820 if (!is_path_reachable(new_mnt, new.dentry, &root))
4821 goto out4;
4822 lock_mount_hash();
4823 umount_mnt(new_mnt);
4824 root_mp = unhash_mnt(root_mnt); /* we'll need its mountpoint */
4825 if (root_mnt->mnt.mnt_flags & MNT_LOCKED) {
4826 new_mnt->mnt.mnt_flags |= MNT_LOCKED;
4827 root_mnt->mnt.mnt_flags &= ~MNT_LOCKED;
4828 }
4829 /* mount old root on put_old */
4830 attach_mnt(root_mnt, old_mnt, old_mp, false);
4831 /* mount new_root on / */
4832 attach_mnt(new_mnt, root_parent, root_mp, false);
4833 mnt_add_count(root_parent, -1);
4834 touch_mnt_namespace(current->nsproxy->mnt_ns);
4835 /* A moved mount should not expire automatically */
4836 list_del_init(&new_mnt->mnt_expire);
4837 put_mountpoint(root_mp);
4838 unlock_mount_hash();
4839 mnt_notify_add(root_mnt);
4840 mnt_notify_add(new_mnt);
4841 chroot_fs_refs(&root, &new);
4842 error = 0;
4843 out4:
4844 unlock_mount(old_mp);
4845 if (!error)
4846 mntput_no_expire(ex_parent);
4847 out3:
4848 path_put(&root);
4849 out2:
4850 path_put(&old);
4851 out1:
4852 path_put(&new);
4853 out0:
4854 return error;
4855 }
4856
recalc_flags(struct mount_kattr * kattr,struct mount * mnt)4857 static unsigned int recalc_flags(struct mount_kattr *kattr, struct mount *mnt)
4858 {
4859 unsigned int flags = mnt->mnt.mnt_flags;
4860
4861 /* flags to clear */
4862 flags &= ~kattr->attr_clr;
4863 /* flags to raise */
4864 flags |= kattr->attr_set;
4865
4866 return flags;
4867 }
4868
can_idmap_mount(const struct mount_kattr * kattr,struct mount * mnt)4869 static int can_idmap_mount(const struct mount_kattr *kattr, struct mount *mnt)
4870 {
4871 struct vfsmount *m = &mnt->mnt;
4872 struct user_namespace *fs_userns = m->mnt_sb->s_user_ns;
4873
4874 if (!kattr->mnt_idmap)
4875 return 0;
4876
4877 /*
4878 * Creating an idmapped mount with the filesystem wide idmapping
4879 * doesn't make sense so block that. We don't allow mushy semantics.
4880 */
4881 if (kattr->mnt_userns == m->mnt_sb->s_user_ns)
4882 return -EINVAL;
4883
4884 /*
4885 * We only allow an mount to change it's idmapping if it has
4886 * never been accessible to userspace.
4887 */
4888 if (!(kattr->kflags & MOUNT_KATTR_IDMAP_REPLACE) && is_idmapped_mnt(m))
4889 return -EPERM;
4890
4891 /* The underlying filesystem doesn't support idmapped mounts yet. */
4892 if (!(m->mnt_sb->s_type->fs_flags & FS_ALLOW_IDMAP))
4893 return -EINVAL;
4894
4895 /* The filesystem has turned off idmapped mounts. */
4896 if (m->mnt_sb->s_iflags & SB_I_NOIDMAP)
4897 return -EINVAL;
4898
4899 /* We're not controlling the superblock. */
4900 if (!ns_capable(fs_userns, CAP_SYS_ADMIN))
4901 return -EPERM;
4902
4903 /* Mount has already been visible in the filesystem hierarchy. */
4904 if (!is_anon_ns(mnt->mnt_ns))
4905 return -EINVAL;
4906
4907 return 0;
4908 }
4909
4910 /**
4911 * mnt_allow_writers() - check whether the attribute change allows writers
4912 * @kattr: the new mount attributes
4913 * @mnt: the mount to which @kattr will be applied
4914 *
4915 * Check whether thew new mount attributes in @kattr allow concurrent writers.
4916 *
4917 * Return: true if writers need to be held, false if not
4918 */
mnt_allow_writers(const struct mount_kattr * kattr,const struct mount * mnt)4919 static inline bool mnt_allow_writers(const struct mount_kattr *kattr,
4920 const struct mount *mnt)
4921 {
4922 return (!(kattr->attr_set & MNT_READONLY) ||
4923 (mnt->mnt.mnt_flags & MNT_READONLY)) &&
4924 !kattr->mnt_idmap;
4925 }
4926
mount_setattr_prepare(struct mount_kattr * kattr,struct mount * mnt)4927 static int mount_setattr_prepare(struct mount_kattr *kattr, struct mount *mnt)
4928 {
4929 struct mount *m;
4930 int err;
4931
4932 for (m = mnt; m; m = next_mnt(m, mnt)) {
4933 if (!can_change_locked_flags(m, recalc_flags(kattr, m))) {
4934 err = -EPERM;
4935 break;
4936 }
4937
4938 err = can_idmap_mount(kattr, m);
4939 if (err)
4940 break;
4941
4942 if (!mnt_allow_writers(kattr, m)) {
4943 err = mnt_hold_writers(m);
4944 if (err)
4945 break;
4946 }
4947
4948 if (!(kattr->kflags & MOUNT_KATTR_RECURSE))
4949 return 0;
4950 }
4951
4952 if (err) {
4953 struct mount *p;
4954
4955 /*
4956 * If we had to call mnt_hold_writers() MNT_WRITE_HOLD will
4957 * be set in @mnt_flags. The loop unsets MNT_WRITE_HOLD for all
4958 * mounts and needs to take care to include the first mount.
4959 */
4960 for (p = mnt; p; p = next_mnt(p, mnt)) {
4961 /* If we had to hold writers unblock them. */
4962 if (p->mnt.mnt_flags & MNT_WRITE_HOLD)
4963 mnt_unhold_writers(p);
4964
4965 /*
4966 * We're done once the first mount we changed got
4967 * MNT_WRITE_HOLD unset.
4968 */
4969 if (p == m)
4970 break;
4971 }
4972 }
4973 return err;
4974 }
4975
do_idmap_mount(const struct mount_kattr * kattr,struct mount * mnt)4976 static void do_idmap_mount(const struct mount_kattr *kattr, struct mount *mnt)
4977 {
4978 struct mnt_idmap *old_idmap;
4979
4980 if (!kattr->mnt_idmap)
4981 return;
4982
4983 old_idmap = mnt_idmap(&mnt->mnt);
4984
4985 /* Pairs with smp_load_acquire() in mnt_idmap(). */
4986 smp_store_release(&mnt->mnt.mnt_idmap, mnt_idmap_get(kattr->mnt_idmap));
4987 mnt_idmap_put(old_idmap);
4988 }
4989
mount_setattr_commit(struct mount_kattr * kattr,struct mount * mnt)4990 static void mount_setattr_commit(struct mount_kattr *kattr, struct mount *mnt)
4991 {
4992 struct mount *m;
4993
4994 for (m = mnt; m; m = next_mnt(m, mnt)) {
4995 unsigned int flags;
4996
4997 do_idmap_mount(kattr, m);
4998 flags = recalc_flags(kattr, m);
4999 WRITE_ONCE(m->mnt.mnt_flags, flags);
5000
5001 /* If we had to hold writers unblock them. */
5002 if (m->mnt.mnt_flags & MNT_WRITE_HOLD)
5003 mnt_unhold_writers(m);
5004
5005 if (kattr->propagation)
5006 change_mnt_propagation(m, kattr->propagation);
5007 if (!(kattr->kflags & MOUNT_KATTR_RECURSE))
5008 break;
5009 }
5010 touch_mnt_namespace(mnt->mnt_ns);
5011 }
5012
do_mount_setattr(struct path * path,struct mount_kattr * kattr)5013 static int do_mount_setattr(struct path *path, struct mount_kattr *kattr)
5014 {
5015 struct mount *mnt = real_mount(path->mnt);
5016 int err = 0;
5017
5018 if (!path_mounted(path))
5019 return -EINVAL;
5020
5021 if (kattr->mnt_userns) {
5022 struct mnt_idmap *mnt_idmap;
5023
5024 mnt_idmap = alloc_mnt_idmap(kattr->mnt_userns);
5025 if (IS_ERR(mnt_idmap))
5026 return PTR_ERR(mnt_idmap);
5027 kattr->mnt_idmap = mnt_idmap;
5028 }
5029
5030 if (kattr->propagation) {
5031 /*
5032 * Only take namespace_lock() if we're actually changing
5033 * propagation.
5034 */
5035 namespace_lock();
5036 if (kattr->propagation == MS_SHARED) {
5037 err = invent_group_ids(mnt, kattr->kflags & MOUNT_KATTR_RECURSE);
5038 if (err) {
5039 namespace_unlock();
5040 return err;
5041 }
5042 }
5043 }
5044
5045 err = -EINVAL;
5046 lock_mount_hash();
5047
5048 /* Ensure that this isn't anything purely vfs internal. */
5049 if (!is_mounted(&mnt->mnt))
5050 goto out;
5051
5052 /*
5053 * If this is an attached mount make sure it's located in the callers
5054 * mount namespace. If it's not don't let the caller interact with it.
5055 *
5056 * If this mount doesn't have a parent it's most often simply a
5057 * detached mount with an anonymous mount namespace. IOW, something
5058 * that's simply not attached yet. But there are apparently also users
5059 * that do change mount properties on the rootfs itself. That obviously
5060 * neither has a parent nor is it a detached mount so we cannot
5061 * unconditionally check for detached mounts.
5062 */
5063 if ((mnt_has_parent(mnt) || !is_anon_ns(mnt->mnt_ns)) && !check_mnt(mnt))
5064 goto out;
5065
5066 /*
5067 * First, we get the mount tree in a shape where we can change mount
5068 * properties without failure. If we succeeded to do so we commit all
5069 * changes and if we failed we clean up.
5070 */
5071 err = mount_setattr_prepare(kattr, mnt);
5072 if (!err)
5073 mount_setattr_commit(kattr, mnt);
5074
5075 out:
5076 unlock_mount_hash();
5077
5078 if (kattr->propagation) {
5079 if (err)
5080 cleanup_group_ids(mnt, NULL);
5081 namespace_unlock();
5082 }
5083
5084 return err;
5085 }
5086
build_mount_idmapped(const struct mount_attr * attr,size_t usize,struct mount_kattr * kattr)5087 static int build_mount_idmapped(const struct mount_attr *attr, size_t usize,
5088 struct mount_kattr *kattr)
5089 {
5090 struct ns_common *ns;
5091 struct user_namespace *mnt_userns;
5092
5093 if (!((attr->attr_set | attr->attr_clr) & MOUNT_ATTR_IDMAP))
5094 return 0;
5095
5096 if (attr->attr_clr & MOUNT_ATTR_IDMAP) {
5097 /*
5098 * We can only remove an idmapping if it's never been
5099 * exposed to userspace.
5100 */
5101 if (!(kattr->kflags & MOUNT_KATTR_IDMAP_REPLACE))
5102 return -EINVAL;
5103
5104 /*
5105 * Removal of idmappings is equivalent to setting
5106 * nop_mnt_idmap.
5107 */
5108 if (!(attr->attr_set & MOUNT_ATTR_IDMAP)) {
5109 kattr->mnt_idmap = &nop_mnt_idmap;
5110 return 0;
5111 }
5112 }
5113
5114 if (attr->userns_fd > INT_MAX)
5115 return -EINVAL;
5116
5117 CLASS(fd, f)(attr->userns_fd);
5118 if (fd_empty(f))
5119 return -EBADF;
5120
5121 if (!proc_ns_file(fd_file(f)))
5122 return -EINVAL;
5123
5124 ns = get_proc_ns(file_inode(fd_file(f)));
5125 if (ns->ops->type != CLONE_NEWUSER)
5126 return -EINVAL;
5127
5128 /*
5129 * The initial idmapping cannot be used to create an idmapped
5130 * mount. We use the initial idmapping as an indicator of a mount
5131 * that is not idmapped. It can simply be passed into helpers that
5132 * are aware of idmapped mounts as a convenient shortcut. A user
5133 * can just create a dedicated identity mapping to achieve the same
5134 * result.
5135 */
5136 mnt_userns = container_of(ns, struct user_namespace, ns);
5137 if (mnt_userns == &init_user_ns)
5138 return -EPERM;
5139
5140 /* We're not controlling the target namespace. */
5141 if (!ns_capable(mnt_userns, CAP_SYS_ADMIN))
5142 return -EPERM;
5143
5144 kattr->mnt_userns = get_user_ns(mnt_userns);
5145 return 0;
5146 }
5147
build_mount_kattr(const struct mount_attr * attr,size_t usize,struct mount_kattr * kattr)5148 static int build_mount_kattr(const struct mount_attr *attr, size_t usize,
5149 struct mount_kattr *kattr)
5150 {
5151 if (attr->propagation & ~MOUNT_SETATTR_PROPAGATION_FLAGS)
5152 return -EINVAL;
5153 if (hweight32(attr->propagation & MOUNT_SETATTR_PROPAGATION_FLAGS) > 1)
5154 return -EINVAL;
5155 kattr->propagation = attr->propagation;
5156
5157 if ((attr->attr_set | attr->attr_clr) & ~MOUNT_SETATTR_VALID_FLAGS)
5158 return -EINVAL;
5159
5160 kattr->attr_set = attr_flags_to_mnt_flags(attr->attr_set);
5161 kattr->attr_clr = attr_flags_to_mnt_flags(attr->attr_clr);
5162
5163 /*
5164 * Since the MOUNT_ATTR_<atime> values are an enum, not a bitmap,
5165 * users wanting to transition to a different atime setting cannot
5166 * simply specify the atime setting in @attr_set, but must also
5167 * specify MOUNT_ATTR__ATIME in the @attr_clr field.
5168 * So ensure that MOUNT_ATTR__ATIME can't be partially set in
5169 * @attr_clr and that @attr_set can't have any atime bits set if
5170 * MOUNT_ATTR__ATIME isn't set in @attr_clr.
5171 */
5172 if (attr->attr_clr & MOUNT_ATTR__ATIME) {
5173 if ((attr->attr_clr & MOUNT_ATTR__ATIME) != MOUNT_ATTR__ATIME)
5174 return -EINVAL;
5175
5176 /*
5177 * Clear all previous time settings as they are mutually
5178 * exclusive.
5179 */
5180 kattr->attr_clr |= MNT_RELATIME | MNT_NOATIME;
5181 switch (attr->attr_set & MOUNT_ATTR__ATIME) {
5182 case MOUNT_ATTR_RELATIME:
5183 kattr->attr_set |= MNT_RELATIME;
5184 break;
5185 case MOUNT_ATTR_NOATIME:
5186 kattr->attr_set |= MNT_NOATIME;
5187 break;
5188 case MOUNT_ATTR_STRICTATIME:
5189 break;
5190 default:
5191 return -EINVAL;
5192 }
5193 } else {
5194 if (attr->attr_set & MOUNT_ATTR__ATIME)
5195 return -EINVAL;
5196 }
5197
5198 return build_mount_idmapped(attr, usize, kattr);
5199 }
5200
finish_mount_kattr(struct mount_kattr * kattr)5201 static void finish_mount_kattr(struct mount_kattr *kattr)
5202 {
5203 if (kattr->mnt_userns) {
5204 put_user_ns(kattr->mnt_userns);
5205 kattr->mnt_userns = NULL;
5206 }
5207
5208 if (kattr->mnt_idmap)
5209 mnt_idmap_put(kattr->mnt_idmap);
5210 }
5211
wants_mount_setattr(struct mount_attr __user * uattr,size_t usize,struct mount_kattr * kattr)5212 static int wants_mount_setattr(struct mount_attr __user *uattr, size_t usize,
5213 struct mount_kattr *kattr)
5214 {
5215 int ret;
5216 struct mount_attr attr;
5217
5218 BUILD_BUG_ON(sizeof(struct mount_attr) != MOUNT_ATTR_SIZE_VER0);
5219
5220 if (unlikely(usize > PAGE_SIZE))
5221 return -E2BIG;
5222 if (unlikely(usize < MOUNT_ATTR_SIZE_VER0))
5223 return -EINVAL;
5224
5225 if (!may_mount())
5226 return -EPERM;
5227
5228 ret = copy_struct_from_user(&attr, sizeof(attr), uattr, usize);
5229 if (ret)
5230 return ret;
5231
5232 /* Don't bother walking through the mounts if this is a nop. */
5233 if (attr.attr_set == 0 &&
5234 attr.attr_clr == 0 &&
5235 attr.propagation == 0)
5236 return 0; /* Tell caller to not bother. */
5237
5238 ret = build_mount_kattr(&attr, usize, kattr);
5239 if (ret < 0)
5240 return ret;
5241
5242 return 1;
5243 }
5244
SYSCALL_DEFINE5(mount_setattr,int,dfd,const char __user *,path,unsigned int,flags,struct mount_attr __user *,uattr,size_t,usize)5245 SYSCALL_DEFINE5(mount_setattr, int, dfd, const char __user *, path,
5246 unsigned int, flags, struct mount_attr __user *, uattr,
5247 size_t, usize)
5248 {
5249 int err;
5250 struct path target;
5251 struct mount_kattr kattr;
5252 unsigned int lookup_flags = LOOKUP_AUTOMOUNT | LOOKUP_FOLLOW;
5253
5254 if (flags & ~(AT_EMPTY_PATH |
5255 AT_RECURSIVE |
5256 AT_SYMLINK_NOFOLLOW |
5257 AT_NO_AUTOMOUNT))
5258 return -EINVAL;
5259
5260 if (flags & AT_NO_AUTOMOUNT)
5261 lookup_flags &= ~LOOKUP_AUTOMOUNT;
5262 if (flags & AT_SYMLINK_NOFOLLOW)
5263 lookup_flags &= ~LOOKUP_FOLLOW;
5264 if (flags & AT_EMPTY_PATH)
5265 lookup_flags |= LOOKUP_EMPTY;
5266
5267 kattr = (struct mount_kattr) {
5268 .lookup_flags = lookup_flags,
5269 };
5270
5271 if (flags & AT_RECURSIVE)
5272 kattr.kflags |= MOUNT_KATTR_RECURSE;
5273
5274 err = wants_mount_setattr(uattr, usize, &kattr);
5275 if (err <= 0)
5276 return err;
5277
5278 err = user_path_at(dfd, path, kattr.lookup_flags, &target);
5279 if (!err) {
5280 err = do_mount_setattr(&target, &kattr);
5281 path_put(&target);
5282 }
5283 finish_mount_kattr(&kattr);
5284 return err;
5285 }
5286
SYSCALL_DEFINE5(open_tree_attr,int,dfd,const char __user *,filename,unsigned,flags,struct mount_attr __user *,uattr,size_t,usize)5287 SYSCALL_DEFINE5(open_tree_attr, int, dfd, const char __user *, filename,
5288 unsigned, flags, struct mount_attr __user *, uattr,
5289 size_t, usize)
5290 {
5291 struct file __free(fput) *file = NULL;
5292 int fd;
5293
5294 if (!uattr && usize)
5295 return -EINVAL;
5296
5297 file = vfs_open_tree(dfd, filename, flags);
5298 if (IS_ERR(file))
5299 return PTR_ERR(file);
5300
5301 if (uattr) {
5302 int ret;
5303 struct mount_kattr kattr = {};
5304
5305 kattr.kflags = MOUNT_KATTR_IDMAP_REPLACE;
5306 if (flags & AT_RECURSIVE)
5307 kattr.kflags |= MOUNT_KATTR_RECURSE;
5308
5309 ret = wants_mount_setattr(uattr, usize, &kattr);
5310 if (ret > 0) {
5311 ret = do_mount_setattr(&file->f_path, &kattr);
5312 finish_mount_kattr(&kattr);
5313 }
5314 if (ret)
5315 return ret;
5316 }
5317
5318 fd = get_unused_fd_flags(flags & O_CLOEXEC);
5319 if (fd < 0)
5320 return fd;
5321
5322 fd_install(fd, no_free_ptr(file));
5323 return fd;
5324 }
5325
show_path(struct seq_file * m,struct dentry * root)5326 int show_path(struct seq_file *m, struct dentry *root)
5327 {
5328 if (root->d_sb->s_op->show_path)
5329 return root->d_sb->s_op->show_path(m, root);
5330
5331 seq_dentry(m, root, " \t\n\\");
5332 return 0;
5333 }
5334
lookup_mnt_in_ns(u64 id,struct mnt_namespace * ns)5335 static struct vfsmount *lookup_mnt_in_ns(u64 id, struct mnt_namespace *ns)
5336 {
5337 struct mount *mnt = mnt_find_id_at(ns, id);
5338
5339 if (!mnt || mnt->mnt_id_unique != id)
5340 return NULL;
5341
5342 return &mnt->mnt;
5343 }
5344
5345 struct kstatmount {
5346 struct statmount __user *buf;
5347 size_t bufsize;
5348 struct vfsmount *mnt;
5349 struct mnt_idmap *idmap;
5350 u64 mask;
5351 struct path root;
5352 struct seq_file seq;
5353
5354 /* Must be last --ends in a flexible-array member. */
5355 struct statmount sm;
5356 };
5357
mnt_to_attr_flags(struct vfsmount * mnt)5358 static u64 mnt_to_attr_flags(struct vfsmount *mnt)
5359 {
5360 unsigned int mnt_flags = READ_ONCE(mnt->mnt_flags);
5361 u64 attr_flags = 0;
5362
5363 if (mnt_flags & MNT_READONLY)
5364 attr_flags |= MOUNT_ATTR_RDONLY;
5365 if (mnt_flags & MNT_NOSUID)
5366 attr_flags |= MOUNT_ATTR_NOSUID;
5367 if (mnt_flags & MNT_NODEV)
5368 attr_flags |= MOUNT_ATTR_NODEV;
5369 if (mnt_flags & MNT_NOEXEC)
5370 attr_flags |= MOUNT_ATTR_NOEXEC;
5371 if (mnt_flags & MNT_NODIRATIME)
5372 attr_flags |= MOUNT_ATTR_NODIRATIME;
5373 if (mnt_flags & MNT_NOSYMFOLLOW)
5374 attr_flags |= MOUNT_ATTR_NOSYMFOLLOW;
5375
5376 if (mnt_flags & MNT_NOATIME)
5377 attr_flags |= MOUNT_ATTR_NOATIME;
5378 else if (mnt_flags & MNT_RELATIME)
5379 attr_flags |= MOUNT_ATTR_RELATIME;
5380 else
5381 attr_flags |= MOUNT_ATTR_STRICTATIME;
5382
5383 if (is_idmapped_mnt(mnt))
5384 attr_flags |= MOUNT_ATTR_IDMAP;
5385
5386 return attr_flags;
5387 }
5388
mnt_to_propagation_flags(struct mount * m)5389 static u64 mnt_to_propagation_flags(struct mount *m)
5390 {
5391 u64 propagation = 0;
5392
5393 if (IS_MNT_SHARED(m))
5394 propagation |= MS_SHARED;
5395 if (IS_MNT_SLAVE(m))
5396 propagation |= MS_SLAVE;
5397 if (IS_MNT_UNBINDABLE(m))
5398 propagation |= MS_UNBINDABLE;
5399 if (!propagation)
5400 propagation |= MS_PRIVATE;
5401
5402 return propagation;
5403 }
5404
statmount_sb_basic(struct kstatmount * s)5405 static void statmount_sb_basic(struct kstatmount *s)
5406 {
5407 struct super_block *sb = s->mnt->mnt_sb;
5408
5409 s->sm.mask |= STATMOUNT_SB_BASIC;
5410 s->sm.sb_dev_major = MAJOR(sb->s_dev);
5411 s->sm.sb_dev_minor = MINOR(sb->s_dev);
5412 s->sm.sb_magic = sb->s_magic;
5413 s->sm.sb_flags = sb->s_flags & (SB_RDONLY|SB_SYNCHRONOUS|SB_DIRSYNC|SB_LAZYTIME);
5414 }
5415
statmount_mnt_basic(struct kstatmount * s)5416 static void statmount_mnt_basic(struct kstatmount *s)
5417 {
5418 struct mount *m = real_mount(s->mnt);
5419
5420 s->sm.mask |= STATMOUNT_MNT_BASIC;
5421 s->sm.mnt_id = m->mnt_id_unique;
5422 s->sm.mnt_parent_id = m->mnt_parent->mnt_id_unique;
5423 s->sm.mnt_id_old = m->mnt_id;
5424 s->sm.mnt_parent_id_old = m->mnt_parent->mnt_id;
5425 s->sm.mnt_attr = mnt_to_attr_flags(&m->mnt);
5426 s->sm.mnt_propagation = mnt_to_propagation_flags(m);
5427 s->sm.mnt_peer_group = IS_MNT_SHARED(m) ? m->mnt_group_id : 0;
5428 s->sm.mnt_master = IS_MNT_SLAVE(m) ? m->mnt_master->mnt_group_id : 0;
5429 }
5430
statmount_propagate_from(struct kstatmount * s)5431 static void statmount_propagate_from(struct kstatmount *s)
5432 {
5433 struct mount *m = real_mount(s->mnt);
5434
5435 s->sm.mask |= STATMOUNT_PROPAGATE_FROM;
5436 if (IS_MNT_SLAVE(m))
5437 s->sm.propagate_from = get_dominating_id(m, ¤t->fs->root);
5438 }
5439
statmount_mnt_root(struct kstatmount * s,struct seq_file * seq)5440 static int statmount_mnt_root(struct kstatmount *s, struct seq_file *seq)
5441 {
5442 int ret;
5443 size_t start = seq->count;
5444
5445 ret = show_path(seq, s->mnt->mnt_root);
5446 if (ret)
5447 return ret;
5448
5449 if (unlikely(seq_has_overflowed(seq)))
5450 return -EAGAIN;
5451
5452 /*
5453 * Unescape the result. It would be better if supplied string was not
5454 * escaped in the first place, but that's a pretty invasive change.
5455 */
5456 seq->buf[seq->count] = '\0';
5457 seq->count = start;
5458 seq_commit(seq, string_unescape_inplace(seq->buf + start, UNESCAPE_OCTAL));
5459 return 0;
5460 }
5461
statmount_mnt_point(struct kstatmount * s,struct seq_file * seq)5462 static int statmount_mnt_point(struct kstatmount *s, struct seq_file *seq)
5463 {
5464 struct vfsmount *mnt = s->mnt;
5465 struct path mnt_path = { .dentry = mnt->mnt_root, .mnt = mnt };
5466 int err;
5467
5468 err = seq_path_root(seq, &mnt_path, &s->root, "");
5469 return err == SEQ_SKIP ? 0 : err;
5470 }
5471
statmount_fs_type(struct kstatmount * s,struct seq_file * seq)5472 static int statmount_fs_type(struct kstatmount *s, struct seq_file *seq)
5473 {
5474 struct super_block *sb = s->mnt->mnt_sb;
5475
5476 seq_puts(seq, sb->s_type->name);
5477 return 0;
5478 }
5479
statmount_fs_subtype(struct kstatmount * s,struct seq_file * seq)5480 static void statmount_fs_subtype(struct kstatmount *s, struct seq_file *seq)
5481 {
5482 struct super_block *sb = s->mnt->mnt_sb;
5483
5484 if (sb->s_subtype)
5485 seq_puts(seq, sb->s_subtype);
5486 }
5487
statmount_sb_source(struct kstatmount * s,struct seq_file * seq)5488 static int statmount_sb_source(struct kstatmount *s, struct seq_file *seq)
5489 {
5490 struct super_block *sb = s->mnt->mnt_sb;
5491 struct mount *r = real_mount(s->mnt);
5492
5493 if (sb->s_op->show_devname) {
5494 size_t start = seq->count;
5495 int ret;
5496
5497 ret = sb->s_op->show_devname(seq, s->mnt->mnt_root);
5498 if (ret)
5499 return ret;
5500
5501 if (unlikely(seq_has_overflowed(seq)))
5502 return -EAGAIN;
5503
5504 /* Unescape the result */
5505 seq->buf[seq->count] = '\0';
5506 seq->count = start;
5507 seq_commit(seq, string_unescape_inplace(seq->buf + start, UNESCAPE_OCTAL));
5508 } else {
5509 seq_puts(seq, r->mnt_devname);
5510 }
5511 return 0;
5512 }
5513
statmount_mnt_ns_id(struct kstatmount * s,struct mnt_namespace * ns)5514 static void statmount_mnt_ns_id(struct kstatmount *s, struct mnt_namespace *ns)
5515 {
5516 s->sm.mask |= STATMOUNT_MNT_NS_ID;
5517 s->sm.mnt_ns_id = ns->seq;
5518 }
5519
statmount_mnt_opts(struct kstatmount * s,struct seq_file * seq)5520 static int statmount_mnt_opts(struct kstatmount *s, struct seq_file *seq)
5521 {
5522 struct vfsmount *mnt = s->mnt;
5523 struct super_block *sb = mnt->mnt_sb;
5524 size_t start = seq->count;
5525 int err;
5526
5527 err = security_sb_show_options(seq, sb);
5528 if (err)
5529 return err;
5530
5531 if (sb->s_op->show_options) {
5532 err = sb->s_op->show_options(seq, mnt->mnt_root);
5533 if (err)
5534 return err;
5535 }
5536
5537 if (unlikely(seq_has_overflowed(seq)))
5538 return -EAGAIN;
5539
5540 if (seq->count == start)
5541 return 0;
5542
5543 /* skip leading comma */
5544 memmove(seq->buf + start, seq->buf + start + 1,
5545 seq->count - start - 1);
5546 seq->count--;
5547
5548 return 0;
5549 }
5550
statmount_opt_process(struct seq_file * seq,size_t start)5551 static inline int statmount_opt_process(struct seq_file *seq, size_t start)
5552 {
5553 char *buf_end, *opt_end, *src, *dst;
5554 int count = 0;
5555
5556 if (unlikely(seq_has_overflowed(seq)))
5557 return -EAGAIN;
5558
5559 buf_end = seq->buf + seq->count;
5560 dst = seq->buf + start;
5561 src = dst + 1; /* skip initial comma */
5562
5563 if (src >= buf_end) {
5564 seq->count = start;
5565 return 0;
5566 }
5567
5568 *buf_end = '\0';
5569 for (; src < buf_end; src = opt_end + 1) {
5570 opt_end = strchrnul(src, ',');
5571 *opt_end = '\0';
5572 dst += string_unescape(src, dst, 0, UNESCAPE_OCTAL) + 1;
5573 if (WARN_ON_ONCE(++count == INT_MAX))
5574 return -EOVERFLOW;
5575 }
5576 seq->count = dst - 1 - seq->buf;
5577 return count;
5578 }
5579
statmount_opt_array(struct kstatmount * s,struct seq_file * seq)5580 static int statmount_opt_array(struct kstatmount *s, struct seq_file *seq)
5581 {
5582 struct vfsmount *mnt = s->mnt;
5583 struct super_block *sb = mnt->mnt_sb;
5584 size_t start = seq->count;
5585 int err;
5586
5587 if (!sb->s_op->show_options)
5588 return 0;
5589
5590 err = sb->s_op->show_options(seq, mnt->mnt_root);
5591 if (err)
5592 return err;
5593
5594 err = statmount_opt_process(seq, start);
5595 if (err < 0)
5596 return err;
5597
5598 s->sm.opt_num = err;
5599 return 0;
5600 }
5601
statmount_opt_sec_array(struct kstatmount * s,struct seq_file * seq)5602 static int statmount_opt_sec_array(struct kstatmount *s, struct seq_file *seq)
5603 {
5604 struct vfsmount *mnt = s->mnt;
5605 struct super_block *sb = mnt->mnt_sb;
5606 size_t start = seq->count;
5607 int err;
5608
5609 err = security_sb_show_options(seq, sb);
5610 if (err)
5611 return err;
5612
5613 err = statmount_opt_process(seq, start);
5614 if (err < 0)
5615 return err;
5616
5617 s->sm.opt_sec_num = err;
5618 return 0;
5619 }
5620
statmount_mnt_uidmap(struct kstatmount * s,struct seq_file * seq)5621 static inline int statmount_mnt_uidmap(struct kstatmount *s, struct seq_file *seq)
5622 {
5623 int ret;
5624
5625 ret = statmount_mnt_idmap(s->idmap, seq, true);
5626 if (ret < 0)
5627 return ret;
5628
5629 s->sm.mnt_uidmap_num = ret;
5630 /*
5631 * Always raise STATMOUNT_MNT_UIDMAP even if there are no valid
5632 * mappings. This allows userspace to distinguish between a
5633 * non-idmapped mount and an idmapped mount where none of the
5634 * individual mappings are valid in the caller's idmapping.
5635 */
5636 if (is_valid_mnt_idmap(s->idmap))
5637 s->sm.mask |= STATMOUNT_MNT_UIDMAP;
5638 return 0;
5639 }
5640
statmount_mnt_gidmap(struct kstatmount * s,struct seq_file * seq)5641 static inline int statmount_mnt_gidmap(struct kstatmount *s, struct seq_file *seq)
5642 {
5643 int ret;
5644
5645 ret = statmount_mnt_idmap(s->idmap, seq, false);
5646 if (ret < 0)
5647 return ret;
5648
5649 s->sm.mnt_gidmap_num = ret;
5650 /*
5651 * Always raise STATMOUNT_MNT_GIDMAP even if there are no valid
5652 * mappings. This allows userspace to distinguish between a
5653 * non-idmapped mount and an idmapped mount where none of the
5654 * individual mappings are valid in the caller's idmapping.
5655 */
5656 if (is_valid_mnt_idmap(s->idmap))
5657 s->sm.mask |= STATMOUNT_MNT_GIDMAP;
5658 return 0;
5659 }
5660
statmount_string(struct kstatmount * s,u64 flag)5661 static int statmount_string(struct kstatmount *s, u64 flag)
5662 {
5663 int ret = 0;
5664 size_t kbufsize;
5665 struct seq_file *seq = &s->seq;
5666 struct statmount *sm = &s->sm;
5667 u32 start, *offp;
5668
5669 /* Reserve an empty string at the beginning for any unset offsets */
5670 if (!seq->count)
5671 seq_putc(seq, 0);
5672
5673 start = seq->count;
5674
5675 switch (flag) {
5676 case STATMOUNT_FS_TYPE:
5677 offp = &sm->fs_type;
5678 ret = statmount_fs_type(s, seq);
5679 break;
5680 case STATMOUNT_MNT_ROOT:
5681 offp = &sm->mnt_root;
5682 ret = statmount_mnt_root(s, seq);
5683 break;
5684 case STATMOUNT_MNT_POINT:
5685 offp = &sm->mnt_point;
5686 ret = statmount_mnt_point(s, seq);
5687 break;
5688 case STATMOUNT_MNT_OPTS:
5689 offp = &sm->mnt_opts;
5690 ret = statmount_mnt_opts(s, seq);
5691 break;
5692 case STATMOUNT_OPT_ARRAY:
5693 offp = &sm->opt_array;
5694 ret = statmount_opt_array(s, seq);
5695 break;
5696 case STATMOUNT_OPT_SEC_ARRAY:
5697 offp = &sm->opt_sec_array;
5698 ret = statmount_opt_sec_array(s, seq);
5699 break;
5700 case STATMOUNT_FS_SUBTYPE:
5701 offp = &sm->fs_subtype;
5702 statmount_fs_subtype(s, seq);
5703 break;
5704 case STATMOUNT_SB_SOURCE:
5705 offp = &sm->sb_source;
5706 ret = statmount_sb_source(s, seq);
5707 break;
5708 case STATMOUNT_MNT_UIDMAP:
5709 sm->mnt_uidmap = start;
5710 ret = statmount_mnt_uidmap(s, seq);
5711 break;
5712 case STATMOUNT_MNT_GIDMAP:
5713 sm->mnt_gidmap = start;
5714 ret = statmount_mnt_gidmap(s, seq);
5715 break;
5716 default:
5717 WARN_ON_ONCE(true);
5718 return -EINVAL;
5719 }
5720
5721 /*
5722 * If nothing was emitted, return to avoid setting the flag
5723 * and terminating the buffer.
5724 */
5725 if (seq->count == start)
5726 return ret;
5727 if (unlikely(check_add_overflow(sizeof(*sm), seq->count, &kbufsize)))
5728 return -EOVERFLOW;
5729 if (kbufsize >= s->bufsize)
5730 return -EOVERFLOW;
5731
5732 /* signal a retry */
5733 if (unlikely(seq_has_overflowed(seq)))
5734 return -EAGAIN;
5735
5736 if (ret)
5737 return ret;
5738
5739 seq->buf[seq->count++] = '\0';
5740 sm->mask |= flag;
5741 *offp = start;
5742 return 0;
5743 }
5744
copy_statmount_to_user(struct kstatmount * s)5745 static int copy_statmount_to_user(struct kstatmount *s)
5746 {
5747 struct statmount *sm = &s->sm;
5748 struct seq_file *seq = &s->seq;
5749 char __user *str = ((char __user *)s->buf) + sizeof(*sm);
5750 size_t copysize = min_t(size_t, s->bufsize, sizeof(*sm));
5751
5752 if (seq->count && copy_to_user(str, seq->buf, seq->count))
5753 return -EFAULT;
5754
5755 /* Return the number of bytes copied to the buffer */
5756 sm->size = copysize + seq->count;
5757 if (copy_to_user(s->buf, sm, copysize))
5758 return -EFAULT;
5759
5760 return 0;
5761 }
5762
listmnt_next(struct mount * curr,bool reverse)5763 static struct mount *listmnt_next(struct mount *curr, bool reverse)
5764 {
5765 struct rb_node *node;
5766
5767 if (reverse)
5768 node = rb_prev(&curr->mnt_node);
5769 else
5770 node = rb_next(&curr->mnt_node);
5771
5772 return node_to_mount(node);
5773 }
5774
grab_requested_root(struct mnt_namespace * ns,struct path * root)5775 static int grab_requested_root(struct mnt_namespace *ns, struct path *root)
5776 {
5777 struct mount *first, *child;
5778
5779 rwsem_assert_held(&namespace_sem);
5780
5781 /* We're looking at our own ns, just use get_fs_root. */
5782 if (ns == current->nsproxy->mnt_ns) {
5783 get_fs_root(current->fs, root);
5784 return 0;
5785 }
5786
5787 /*
5788 * We have to find the first mount in our ns and use that, however it
5789 * may not exist, so handle that properly.
5790 */
5791 if (mnt_ns_empty(ns))
5792 return -ENOENT;
5793
5794 first = child = ns->root;
5795 for (;;) {
5796 child = listmnt_next(child, false);
5797 if (!child)
5798 return -ENOENT;
5799 if (child->mnt_parent == first)
5800 break;
5801 }
5802
5803 root->mnt = mntget(&child->mnt);
5804 root->dentry = dget(root->mnt->mnt_root);
5805 return 0;
5806 }
5807
5808 /* This must be updated whenever a new flag is added */
5809 #define STATMOUNT_SUPPORTED (STATMOUNT_SB_BASIC | \
5810 STATMOUNT_MNT_BASIC | \
5811 STATMOUNT_PROPAGATE_FROM | \
5812 STATMOUNT_MNT_ROOT | \
5813 STATMOUNT_MNT_POINT | \
5814 STATMOUNT_FS_TYPE | \
5815 STATMOUNT_MNT_NS_ID | \
5816 STATMOUNT_MNT_OPTS | \
5817 STATMOUNT_FS_SUBTYPE | \
5818 STATMOUNT_SB_SOURCE | \
5819 STATMOUNT_OPT_ARRAY | \
5820 STATMOUNT_OPT_SEC_ARRAY | \
5821 STATMOUNT_SUPPORTED_MASK | \
5822 STATMOUNT_MNT_UIDMAP | \
5823 STATMOUNT_MNT_GIDMAP)
5824
do_statmount(struct kstatmount * s,u64 mnt_id,u64 mnt_ns_id,struct mnt_namespace * ns)5825 static int do_statmount(struct kstatmount *s, u64 mnt_id, u64 mnt_ns_id,
5826 struct mnt_namespace *ns)
5827 {
5828 struct path root __free(path_put) = {};
5829 struct mount *m;
5830 int err;
5831
5832 /* Has the namespace already been emptied? */
5833 if (mnt_ns_id && mnt_ns_empty(ns))
5834 return -ENOENT;
5835
5836 s->mnt = lookup_mnt_in_ns(mnt_id, ns);
5837 if (!s->mnt)
5838 return -ENOENT;
5839
5840 err = grab_requested_root(ns, &root);
5841 if (err)
5842 return err;
5843
5844 /*
5845 * Don't trigger audit denials. We just want to determine what
5846 * mounts to show users.
5847 */
5848 m = real_mount(s->mnt);
5849 if (!is_path_reachable(m, m->mnt.mnt_root, &root) &&
5850 !ns_capable_noaudit(ns->user_ns, CAP_SYS_ADMIN))
5851 return -EPERM;
5852
5853 err = security_sb_statfs(s->mnt->mnt_root);
5854 if (err)
5855 return err;
5856
5857 s->root = root;
5858
5859 /*
5860 * Note that mount properties in mnt->mnt_flags, mnt->mnt_idmap
5861 * can change concurrently as we only hold the read-side of the
5862 * namespace semaphore and mount properties may change with only
5863 * the mount lock held.
5864 *
5865 * We could sample the mount lock sequence counter to detect
5866 * those changes and retry. But it's not worth it. Worst that
5867 * happens is that the mnt->mnt_idmap pointer is already changed
5868 * while mnt->mnt_flags isn't or vica versa. So what.
5869 *
5870 * Both mnt->mnt_flags and mnt->mnt_idmap are set and retrieved
5871 * via READ_ONCE()/WRITE_ONCE() and guard against theoretical
5872 * torn read/write. That's all we care about right now.
5873 */
5874 s->idmap = mnt_idmap(s->mnt);
5875 if (s->mask & STATMOUNT_MNT_BASIC)
5876 statmount_mnt_basic(s);
5877
5878 if (s->mask & STATMOUNT_SB_BASIC)
5879 statmount_sb_basic(s);
5880
5881 if (s->mask & STATMOUNT_PROPAGATE_FROM)
5882 statmount_propagate_from(s);
5883
5884 if (s->mask & STATMOUNT_FS_TYPE)
5885 err = statmount_string(s, STATMOUNT_FS_TYPE);
5886
5887 if (!err && s->mask & STATMOUNT_MNT_ROOT)
5888 err = statmount_string(s, STATMOUNT_MNT_ROOT);
5889
5890 if (!err && s->mask & STATMOUNT_MNT_POINT)
5891 err = statmount_string(s, STATMOUNT_MNT_POINT);
5892
5893 if (!err && s->mask & STATMOUNT_MNT_OPTS)
5894 err = statmount_string(s, STATMOUNT_MNT_OPTS);
5895
5896 if (!err && s->mask & STATMOUNT_OPT_ARRAY)
5897 err = statmount_string(s, STATMOUNT_OPT_ARRAY);
5898
5899 if (!err && s->mask & STATMOUNT_OPT_SEC_ARRAY)
5900 err = statmount_string(s, STATMOUNT_OPT_SEC_ARRAY);
5901
5902 if (!err && s->mask & STATMOUNT_FS_SUBTYPE)
5903 err = statmount_string(s, STATMOUNT_FS_SUBTYPE);
5904
5905 if (!err && s->mask & STATMOUNT_SB_SOURCE)
5906 err = statmount_string(s, STATMOUNT_SB_SOURCE);
5907
5908 if (!err && s->mask & STATMOUNT_MNT_UIDMAP)
5909 err = statmount_string(s, STATMOUNT_MNT_UIDMAP);
5910
5911 if (!err && s->mask & STATMOUNT_MNT_GIDMAP)
5912 err = statmount_string(s, STATMOUNT_MNT_GIDMAP);
5913
5914 if (!err && s->mask & STATMOUNT_MNT_NS_ID)
5915 statmount_mnt_ns_id(s, ns);
5916
5917 if (!err && s->mask & STATMOUNT_SUPPORTED_MASK) {
5918 s->sm.mask |= STATMOUNT_SUPPORTED_MASK;
5919 s->sm.supported_mask = STATMOUNT_SUPPORTED;
5920 }
5921
5922 if (err)
5923 return err;
5924
5925 /* Are there bits in the return mask not present in STATMOUNT_SUPPORTED? */
5926 WARN_ON_ONCE(~STATMOUNT_SUPPORTED & s->sm.mask);
5927
5928 return 0;
5929 }
5930
retry_statmount(const long ret,size_t * seq_size)5931 static inline bool retry_statmount(const long ret, size_t *seq_size)
5932 {
5933 if (likely(ret != -EAGAIN))
5934 return false;
5935 if (unlikely(check_mul_overflow(*seq_size, 2, seq_size)))
5936 return false;
5937 if (unlikely(*seq_size > MAX_RW_COUNT))
5938 return false;
5939 return true;
5940 }
5941
5942 #define STATMOUNT_STRING_REQ (STATMOUNT_MNT_ROOT | STATMOUNT_MNT_POINT | \
5943 STATMOUNT_FS_TYPE | STATMOUNT_MNT_OPTS | \
5944 STATMOUNT_FS_SUBTYPE | STATMOUNT_SB_SOURCE | \
5945 STATMOUNT_OPT_ARRAY | STATMOUNT_OPT_SEC_ARRAY | \
5946 STATMOUNT_MNT_UIDMAP | STATMOUNT_MNT_GIDMAP)
5947
prepare_kstatmount(struct kstatmount * ks,struct mnt_id_req * kreq,struct statmount __user * buf,size_t bufsize,size_t seq_size)5948 static int prepare_kstatmount(struct kstatmount *ks, struct mnt_id_req *kreq,
5949 struct statmount __user *buf, size_t bufsize,
5950 size_t seq_size)
5951 {
5952 if (!access_ok(buf, bufsize))
5953 return -EFAULT;
5954
5955 memset(ks, 0, sizeof(*ks));
5956 ks->mask = kreq->param;
5957 ks->buf = buf;
5958 ks->bufsize = bufsize;
5959
5960 if (ks->mask & STATMOUNT_STRING_REQ) {
5961 if (bufsize == sizeof(ks->sm))
5962 return -EOVERFLOW;
5963
5964 ks->seq.buf = kvmalloc(seq_size, GFP_KERNEL_ACCOUNT);
5965 if (!ks->seq.buf)
5966 return -ENOMEM;
5967
5968 ks->seq.size = seq_size;
5969 }
5970
5971 return 0;
5972 }
5973
copy_mnt_id_req(const struct mnt_id_req __user * req,struct mnt_id_req * kreq)5974 static int copy_mnt_id_req(const struct mnt_id_req __user *req,
5975 struct mnt_id_req *kreq)
5976 {
5977 int ret;
5978 size_t usize;
5979
5980 BUILD_BUG_ON(sizeof(struct mnt_id_req) != MNT_ID_REQ_SIZE_VER1);
5981
5982 ret = get_user(usize, &req->size);
5983 if (ret)
5984 return -EFAULT;
5985 if (unlikely(usize > PAGE_SIZE))
5986 return -E2BIG;
5987 if (unlikely(usize < MNT_ID_REQ_SIZE_VER0))
5988 return -EINVAL;
5989 memset(kreq, 0, sizeof(*kreq));
5990 ret = copy_struct_from_user(kreq, sizeof(*kreq), req, usize);
5991 if (ret)
5992 return ret;
5993 if (kreq->spare != 0)
5994 return -EINVAL;
5995 /* The first valid unique mount id is MNT_UNIQUE_ID_OFFSET + 1. */
5996 if (kreq->mnt_id <= MNT_UNIQUE_ID_OFFSET)
5997 return -EINVAL;
5998 return 0;
5999 }
6000
6001 /*
6002 * If the user requested a specific mount namespace id, look that up and return
6003 * that, or if not simply grab a passive reference on our mount namespace and
6004 * return that.
6005 */
grab_requested_mnt_ns(const struct mnt_id_req * kreq)6006 static struct mnt_namespace *grab_requested_mnt_ns(const struct mnt_id_req *kreq)
6007 {
6008 struct mnt_namespace *mnt_ns;
6009
6010 if (kreq->mnt_ns_id && kreq->spare)
6011 return ERR_PTR(-EINVAL);
6012
6013 if (kreq->mnt_ns_id)
6014 return lookup_mnt_ns(kreq->mnt_ns_id);
6015
6016 if (kreq->spare) {
6017 struct ns_common *ns;
6018
6019 CLASS(fd, f)(kreq->spare);
6020 if (fd_empty(f))
6021 return ERR_PTR(-EBADF);
6022
6023 if (!proc_ns_file(fd_file(f)))
6024 return ERR_PTR(-EINVAL);
6025
6026 ns = get_proc_ns(file_inode(fd_file(f)));
6027 if (ns->ops->type != CLONE_NEWNS)
6028 return ERR_PTR(-EINVAL);
6029
6030 mnt_ns = to_mnt_ns(ns);
6031 } else {
6032 mnt_ns = current->nsproxy->mnt_ns;
6033 }
6034
6035 refcount_inc(&mnt_ns->passive);
6036 return mnt_ns;
6037 }
6038
SYSCALL_DEFINE4(statmount,const struct mnt_id_req __user *,req,struct statmount __user *,buf,size_t,bufsize,unsigned int,flags)6039 SYSCALL_DEFINE4(statmount, const struct mnt_id_req __user *, req,
6040 struct statmount __user *, buf, size_t, bufsize,
6041 unsigned int, flags)
6042 {
6043 struct mnt_namespace *ns __free(mnt_ns_release) = NULL;
6044 struct kstatmount *ks __free(kfree) = NULL;
6045 struct mnt_id_req kreq;
6046 /* We currently support retrieval of 3 strings. */
6047 size_t seq_size = 3 * PATH_MAX;
6048 int ret;
6049
6050 if (flags)
6051 return -EINVAL;
6052
6053 ret = copy_mnt_id_req(req, &kreq);
6054 if (ret)
6055 return ret;
6056
6057 ns = grab_requested_mnt_ns(&kreq);
6058 if (!ns)
6059 return -ENOENT;
6060
6061 if (kreq.mnt_ns_id && (ns != current->nsproxy->mnt_ns) &&
6062 !ns_capable_noaudit(ns->user_ns, CAP_SYS_ADMIN))
6063 return -ENOENT;
6064
6065 ks = kmalloc(sizeof(*ks), GFP_KERNEL_ACCOUNT);
6066 if (!ks)
6067 return -ENOMEM;
6068
6069 retry:
6070 ret = prepare_kstatmount(ks, &kreq, buf, bufsize, seq_size);
6071 if (ret)
6072 return ret;
6073
6074 scoped_guard(rwsem_read, &namespace_sem)
6075 ret = do_statmount(ks, kreq.mnt_id, kreq.mnt_ns_id, ns);
6076
6077 if (!ret)
6078 ret = copy_statmount_to_user(ks);
6079 kvfree(ks->seq.buf);
6080 if (retry_statmount(ret, &seq_size))
6081 goto retry;
6082 return ret;
6083 }
6084
do_listmount(struct mnt_namespace * ns,u64 mnt_parent_id,u64 last_mnt_id,u64 * mnt_ids,size_t nr_mnt_ids,bool reverse)6085 static ssize_t do_listmount(struct mnt_namespace *ns, u64 mnt_parent_id,
6086 u64 last_mnt_id, u64 *mnt_ids, size_t nr_mnt_ids,
6087 bool reverse)
6088 {
6089 struct path root __free(path_put) = {};
6090 struct path orig;
6091 struct mount *r, *first;
6092 ssize_t ret;
6093
6094 rwsem_assert_held(&namespace_sem);
6095
6096 ret = grab_requested_root(ns, &root);
6097 if (ret)
6098 return ret;
6099
6100 if (mnt_parent_id == LSMT_ROOT) {
6101 orig = root;
6102 } else {
6103 orig.mnt = lookup_mnt_in_ns(mnt_parent_id, ns);
6104 if (!orig.mnt)
6105 return -ENOENT;
6106 orig.dentry = orig.mnt->mnt_root;
6107 }
6108
6109 /*
6110 * Don't trigger audit denials. We just want to determine what
6111 * mounts to show users.
6112 */
6113 if (!is_path_reachable(real_mount(orig.mnt), orig.dentry, &root) &&
6114 !ns_capable_noaudit(ns->user_ns, CAP_SYS_ADMIN))
6115 return -EPERM;
6116
6117 ret = security_sb_statfs(orig.dentry);
6118 if (ret)
6119 return ret;
6120
6121 if (!last_mnt_id) {
6122 if (reverse)
6123 first = node_to_mount(ns->mnt_last_node);
6124 else
6125 first = node_to_mount(ns->mnt_first_node);
6126 } else {
6127 if (reverse)
6128 first = mnt_find_id_at_reverse(ns, last_mnt_id - 1);
6129 else
6130 first = mnt_find_id_at(ns, last_mnt_id + 1);
6131 }
6132
6133 for (ret = 0, r = first; r && nr_mnt_ids; r = listmnt_next(r, reverse)) {
6134 if (r->mnt_id_unique == mnt_parent_id)
6135 continue;
6136 if (!is_path_reachable(r, r->mnt.mnt_root, &orig))
6137 continue;
6138 *mnt_ids = r->mnt_id_unique;
6139 mnt_ids++;
6140 nr_mnt_ids--;
6141 ret++;
6142 }
6143 return ret;
6144 }
6145
SYSCALL_DEFINE4(listmount,const struct mnt_id_req __user *,req,u64 __user *,mnt_ids,size_t,nr_mnt_ids,unsigned int,flags)6146 SYSCALL_DEFINE4(listmount, const struct mnt_id_req __user *, req,
6147 u64 __user *, mnt_ids, size_t, nr_mnt_ids, unsigned int, flags)
6148 {
6149 u64 *kmnt_ids __free(kvfree) = NULL;
6150 const size_t maxcount = 1000000;
6151 struct mnt_namespace *ns __free(mnt_ns_release) = NULL;
6152 struct mnt_id_req kreq;
6153 u64 last_mnt_id;
6154 ssize_t ret;
6155
6156 if (flags & ~LISTMOUNT_REVERSE)
6157 return -EINVAL;
6158
6159 /*
6160 * If the mount namespace really has more than 1 million mounts the
6161 * caller must iterate over the mount namespace (and reconsider their
6162 * system design...).
6163 */
6164 if (unlikely(nr_mnt_ids > maxcount))
6165 return -EOVERFLOW;
6166
6167 if (!access_ok(mnt_ids, nr_mnt_ids * sizeof(*mnt_ids)))
6168 return -EFAULT;
6169
6170 ret = copy_mnt_id_req(req, &kreq);
6171 if (ret)
6172 return ret;
6173
6174 last_mnt_id = kreq.param;
6175 /* The first valid unique mount id is MNT_UNIQUE_ID_OFFSET + 1. */
6176 if (last_mnt_id != 0 && last_mnt_id <= MNT_UNIQUE_ID_OFFSET)
6177 return -EINVAL;
6178
6179 kmnt_ids = kvmalloc_array(nr_mnt_ids, sizeof(*kmnt_ids),
6180 GFP_KERNEL_ACCOUNT);
6181 if (!kmnt_ids)
6182 return -ENOMEM;
6183
6184 ns = grab_requested_mnt_ns(&kreq);
6185 if (!ns)
6186 return -ENOENT;
6187
6188 if (kreq.mnt_ns_id && (ns != current->nsproxy->mnt_ns) &&
6189 !ns_capable_noaudit(ns->user_ns, CAP_SYS_ADMIN))
6190 return -ENOENT;
6191
6192 /*
6193 * We only need to guard against mount topology changes as
6194 * listmount() doesn't care about any mount properties.
6195 */
6196 scoped_guard(rwsem_read, &namespace_sem)
6197 ret = do_listmount(ns, kreq.mnt_id, last_mnt_id, kmnt_ids,
6198 nr_mnt_ids, (flags & LISTMOUNT_REVERSE));
6199 if (ret <= 0)
6200 return ret;
6201
6202 if (copy_to_user(mnt_ids, kmnt_ids, ret * sizeof(*mnt_ids)))
6203 return -EFAULT;
6204
6205 return ret;
6206 }
6207
init_mount_tree(void)6208 static void __init init_mount_tree(void)
6209 {
6210 struct vfsmount *mnt;
6211 struct mount *m;
6212 struct mnt_namespace *ns;
6213 struct path root;
6214
6215 mnt = vfs_kern_mount(&rootfs_fs_type, 0, "rootfs", NULL);
6216 if (IS_ERR(mnt))
6217 panic("Can't create rootfs");
6218
6219 ns = alloc_mnt_ns(&init_user_ns, false);
6220 if (IS_ERR(ns))
6221 panic("Can't allocate initial namespace");
6222 m = real_mount(mnt);
6223 ns->root = m;
6224 ns->nr_mounts = 1;
6225 mnt_add_to_ns(ns, m);
6226 init_task.nsproxy->mnt_ns = ns;
6227 get_mnt_ns(ns);
6228
6229 root.mnt = mnt;
6230 root.dentry = mnt->mnt_root;
6231 mnt->mnt_flags |= MNT_LOCKED;
6232
6233 set_fs_pwd(current->fs, &root);
6234 set_fs_root(current->fs, &root);
6235
6236 mnt_ns_tree_add(ns);
6237 }
6238
mnt_init(void)6239 void __init mnt_init(void)
6240 {
6241 int err;
6242
6243 mnt_cache = kmem_cache_create("mnt_cache", sizeof(struct mount),
6244 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_ACCOUNT, NULL);
6245
6246 mount_hashtable = alloc_large_system_hash("Mount-cache",
6247 sizeof(struct hlist_head),
6248 mhash_entries, 19,
6249 HASH_ZERO,
6250 &m_hash_shift, &m_hash_mask, 0, 0);
6251 mountpoint_hashtable = alloc_large_system_hash("Mountpoint-cache",
6252 sizeof(struct hlist_head),
6253 mphash_entries, 19,
6254 HASH_ZERO,
6255 &mp_hash_shift, &mp_hash_mask, 0, 0);
6256
6257 if (!mount_hashtable || !mountpoint_hashtable)
6258 panic("Failed to allocate mount hash table\n");
6259
6260 kernfs_init();
6261
6262 err = sysfs_init();
6263 if (err)
6264 printk(KERN_WARNING "%s: sysfs_init error: %d\n",
6265 __func__, err);
6266 fs_kobj = kobject_create_and_add("fs", NULL);
6267 if (!fs_kobj)
6268 printk(KERN_WARNING "%s: kobj create error\n", __func__);
6269 shmem_init();
6270 init_rootfs();
6271 init_mount_tree();
6272 }
6273
put_mnt_ns(struct mnt_namespace * ns)6274 void put_mnt_ns(struct mnt_namespace *ns)
6275 {
6276 if (!refcount_dec_and_test(&ns->ns.count))
6277 return;
6278 namespace_lock();
6279 lock_mount_hash();
6280 umount_tree(ns->root, 0);
6281 unlock_mount_hash();
6282 namespace_unlock();
6283 free_mnt_ns(ns);
6284 }
6285
kern_mount(struct file_system_type * type)6286 struct vfsmount *kern_mount(struct file_system_type *type)
6287 {
6288 struct vfsmount *mnt;
6289 mnt = vfs_kern_mount(type, SB_KERNMOUNT, type->name, NULL);
6290 if (!IS_ERR(mnt)) {
6291 /*
6292 * it is a longterm mount, don't release mnt until
6293 * we unmount before file sys is unregistered
6294 */
6295 real_mount(mnt)->mnt_ns = MNT_NS_INTERNAL;
6296 }
6297 return mnt;
6298 }
6299 EXPORT_SYMBOL_GPL(kern_mount);
6300
kern_unmount(struct vfsmount * mnt)6301 void kern_unmount(struct vfsmount *mnt)
6302 {
6303 /* release long term mount so mount point can be released */
6304 if (!IS_ERR(mnt)) {
6305 mnt_make_shortterm(mnt);
6306 synchronize_rcu(); /* yecchhh... */
6307 mntput(mnt);
6308 }
6309 }
6310 EXPORT_SYMBOL(kern_unmount);
6311
kern_unmount_array(struct vfsmount * mnt[],unsigned int num)6312 void kern_unmount_array(struct vfsmount *mnt[], unsigned int num)
6313 {
6314 unsigned int i;
6315
6316 for (i = 0; i < num; i++)
6317 mnt_make_shortterm(mnt[i]);
6318 synchronize_rcu_expedited();
6319 for (i = 0; i < num; i++)
6320 mntput(mnt[i]);
6321 }
6322 EXPORT_SYMBOL(kern_unmount_array);
6323
our_mnt(struct vfsmount * mnt)6324 bool our_mnt(struct vfsmount *mnt)
6325 {
6326 return check_mnt(real_mount(mnt));
6327 }
6328
current_chrooted(void)6329 bool current_chrooted(void)
6330 {
6331 /* Does the current process have a non-standard root */
6332 struct path ns_root;
6333 struct path fs_root;
6334 bool chrooted;
6335
6336 /* Find the namespace root */
6337 ns_root.mnt = ¤t->nsproxy->mnt_ns->root->mnt;
6338 ns_root.dentry = ns_root.mnt->mnt_root;
6339 path_get(&ns_root);
6340 while (d_mountpoint(ns_root.dentry) && follow_down_one(&ns_root))
6341 ;
6342
6343 get_fs_root(current->fs, &fs_root);
6344
6345 chrooted = !path_equal(&fs_root, &ns_root);
6346
6347 path_put(&fs_root);
6348 path_put(&ns_root);
6349
6350 return chrooted;
6351 }
6352
mnt_already_visible(struct mnt_namespace * ns,const struct super_block * sb,int * new_mnt_flags)6353 static bool mnt_already_visible(struct mnt_namespace *ns,
6354 const struct super_block *sb,
6355 int *new_mnt_flags)
6356 {
6357 int new_flags = *new_mnt_flags;
6358 struct mount *mnt, *n;
6359 bool visible = false;
6360
6361 down_read(&namespace_sem);
6362 rbtree_postorder_for_each_entry_safe(mnt, n, &ns->mounts, mnt_node) {
6363 struct mount *child;
6364 int mnt_flags;
6365
6366 if (mnt->mnt.mnt_sb->s_type != sb->s_type)
6367 continue;
6368
6369 /* This mount is not fully visible if it's root directory
6370 * is not the root directory of the filesystem.
6371 */
6372 if (mnt->mnt.mnt_root != mnt->mnt.mnt_sb->s_root)
6373 continue;
6374
6375 /* A local view of the mount flags */
6376 mnt_flags = mnt->mnt.mnt_flags;
6377
6378 /* Don't miss readonly hidden in the superblock flags */
6379 if (sb_rdonly(mnt->mnt.mnt_sb))
6380 mnt_flags |= MNT_LOCK_READONLY;
6381
6382 /* Verify the mount flags are equal to or more permissive
6383 * than the proposed new mount.
6384 */
6385 if ((mnt_flags & MNT_LOCK_READONLY) &&
6386 !(new_flags & MNT_READONLY))
6387 continue;
6388 if ((mnt_flags & MNT_LOCK_ATIME) &&
6389 ((mnt_flags & MNT_ATIME_MASK) != (new_flags & MNT_ATIME_MASK)))
6390 continue;
6391
6392 /* This mount is not fully visible if there are any
6393 * locked child mounts that cover anything except for
6394 * empty directories.
6395 */
6396 list_for_each_entry(child, &mnt->mnt_mounts, mnt_child) {
6397 struct inode *inode = child->mnt_mountpoint->d_inode;
6398 /* Only worry about locked mounts */
6399 if (!(child->mnt.mnt_flags & MNT_LOCKED))
6400 continue;
6401 /* Is the directory permanently empty? */
6402 if (!is_empty_dir_inode(inode))
6403 goto next;
6404 }
6405 /* Preserve the locked attributes */
6406 *new_mnt_flags |= mnt_flags & (MNT_LOCK_READONLY | \
6407 MNT_LOCK_ATIME);
6408 visible = true;
6409 goto found;
6410 next: ;
6411 }
6412 found:
6413 up_read(&namespace_sem);
6414 return visible;
6415 }
6416
mount_too_revealing(const struct super_block * sb,int * new_mnt_flags)6417 static bool mount_too_revealing(const struct super_block *sb, int *new_mnt_flags)
6418 {
6419 const unsigned long required_iflags = SB_I_NOEXEC | SB_I_NODEV;
6420 struct mnt_namespace *ns = current->nsproxy->mnt_ns;
6421 unsigned long s_iflags;
6422
6423 if (ns->user_ns == &init_user_ns)
6424 return false;
6425
6426 /* Can this filesystem be too revealing? */
6427 s_iflags = sb->s_iflags;
6428 if (!(s_iflags & SB_I_USERNS_VISIBLE))
6429 return false;
6430
6431 if ((s_iflags & required_iflags) != required_iflags) {
6432 WARN_ONCE(1, "Expected s_iflags to contain 0x%lx\n",
6433 required_iflags);
6434 return true;
6435 }
6436
6437 return !mnt_already_visible(ns, sb, new_mnt_flags);
6438 }
6439
mnt_may_suid(struct vfsmount * mnt)6440 bool mnt_may_suid(struct vfsmount *mnt)
6441 {
6442 /*
6443 * Foreign mounts (accessed via fchdir or through /proc
6444 * symlinks) are always treated as if they are nosuid. This
6445 * prevents namespaces from trusting potentially unsafe
6446 * suid/sgid bits, file caps, or security labels that originate
6447 * in other namespaces.
6448 */
6449 return !(mnt->mnt_flags & MNT_NOSUID) && check_mnt(real_mount(mnt)) &&
6450 current_in_userns(mnt->mnt_sb->s_user_ns);
6451 }
6452
mntns_get(struct task_struct * task)6453 static struct ns_common *mntns_get(struct task_struct *task)
6454 {
6455 struct ns_common *ns = NULL;
6456 struct nsproxy *nsproxy;
6457
6458 task_lock(task);
6459 nsproxy = task->nsproxy;
6460 if (nsproxy) {
6461 ns = &nsproxy->mnt_ns->ns;
6462 get_mnt_ns(to_mnt_ns(ns));
6463 }
6464 task_unlock(task);
6465
6466 return ns;
6467 }
6468
mntns_put(struct ns_common * ns)6469 static void mntns_put(struct ns_common *ns)
6470 {
6471 put_mnt_ns(to_mnt_ns(ns));
6472 }
6473
mntns_install(struct nsset * nsset,struct ns_common * ns)6474 static int mntns_install(struct nsset *nsset, struct ns_common *ns)
6475 {
6476 struct nsproxy *nsproxy = nsset->nsproxy;
6477 struct fs_struct *fs = nsset->fs;
6478 struct mnt_namespace *mnt_ns = to_mnt_ns(ns), *old_mnt_ns;
6479 struct user_namespace *user_ns = nsset->cred->user_ns;
6480 struct path root;
6481 int err;
6482
6483 if (!ns_capable(mnt_ns->user_ns, CAP_SYS_ADMIN) ||
6484 !ns_capable(user_ns, CAP_SYS_CHROOT) ||
6485 !ns_capable(user_ns, CAP_SYS_ADMIN))
6486 return -EPERM;
6487
6488 if (is_anon_ns(mnt_ns))
6489 return -EINVAL;
6490
6491 if (fs->users != 1)
6492 return -EINVAL;
6493
6494 get_mnt_ns(mnt_ns);
6495 old_mnt_ns = nsproxy->mnt_ns;
6496 nsproxy->mnt_ns = mnt_ns;
6497
6498 /* Find the root */
6499 err = vfs_path_lookup(mnt_ns->root->mnt.mnt_root, &mnt_ns->root->mnt,
6500 "/", LOOKUP_DOWN, &root);
6501 if (err) {
6502 /* revert to old namespace */
6503 nsproxy->mnt_ns = old_mnt_ns;
6504 put_mnt_ns(mnt_ns);
6505 return err;
6506 }
6507
6508 put_mnt_ns(old_mnt_ns);
6509
6510 /* Update the pwd and root */
6511 set_fs_pwd(fs, &root);
6512 set_fs_root(fs, &root);
6513
6514 path_put(&root);
6515 return 0;
6516 }
6517
mntns_owner(struct ns_common * ns)6518 static struct user_namespace *mntns_owner(struct ns_common *ns)
6519 {
6520 return to_mnt_ns(ns)->user_ns;
6521 }
6522
6523 const struct proc_ns_operations mntns_operations = {
6524 .name = "mnt",
6525 .type = CLONE_NEWNS,
6526 .get = mntns_get,
6527 .put = mntns_put,
6528 .install = mntns_install,
6529 .owner = mntns_owner,
6530 };
6531
6532 #ifdef CONFIG_SYSCTL
6533 static const struct ctl_table fs_namespace_sysctls[] = {
6534 {
6535 .procname = "mount-max",
6536 .data = &sysctl_mount_max,
6537 .maxlen = sizeof(unsigned int),
6538 .mode = 0644,
6539 .proc_handler = proc_dointvec_minmax,
6540 .extra1 = SYSCTL_ONE,
6541 },
6542 };
6543
init_fs_namespace_sysctls(void)6544 static int __init init_fs_namespace_sysctls(void)
6545 {
6546 register_sysctl_init("fs", fs_namespace_sysctls);
6547 return 0;
6548 }
6549 fs_initcall(init_fs_namespace_sysctls);
6550
6551 #endif /* CONFIG_SYSCTL */
6552