*/
int __mnt_want_write_file(struct file *file)
{
- struct inode *inode = file->f_dentry->d_inode;
+ struct inode *inode = file_inode(file);
if (!(file->f_mode & FMODE_WRITE) || special_file(inode->i_mode))
return __mnt_want_write(file->f_path.mnt);
}
mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~MNT_WRITE_HOLD;
+ /* Don't allow unprivileged users to change mount flags */
+ if ((flag & CL_UNPRIVILEGED) && (mnt->mnt.mnt_flags & MNT_READONLY))
+ mnt->mnt.mnt_flags |= MNT_LOCK_READONLY;
+
atomic_inc(&sb->s_active);
mnt->mnt.mnt_sb = sb;
mnt->mnt.mnt_root = dget(root);
#endif
-static int mount_is_safe(struct path *path)
-{
- if (may_mount())
- return 0;
- return -EPERM;
-#ifdef notyet
- if (S_ISLNK(path->dentry->d_inode->i_mode))
- return -EPERM;
- if (path->dentry->d_inode->i_mode & S_ISVTX) {
- if (current_uid() != path->dentry->d_inode->i_uid)
- return -EPERM;
- }
- if (inode_permission(path->dentry->d_inode, MAY_WRITE))
- return -EPERM;
- return 0;
-#endif
-}
-
static bool mnt_ns_loop(struct path *path)
{
/* Could bind mounting the mount namespace inode cause a
int type;
int err = 0;
- if (!may_mount())
- return -EPERM;
-
if (path->dentry != path->mnt->mnt_root)
return -EINVAL;
LIST_HEAD(umount_list);
struct path old_path;
struct mount *mnt = NULL, *old;
- int err = mount_is_safe(path);
- if (err)
- return err;
+ int err;
if (!old_name || !*old_name)
return -EINVAL;
err = kern_path(old_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path);
if (readonly_request == __mnt_is_readonly(mnt))
return 0;
+ if (mnt->mnt_flags & MNT_LOCK_READONLY)
+ return -EPERM;
+
if (readonly_request)
error = mnt_make_readonly(real_mount(mnt));
else
struct super_block *sb = path->mnt->mnt_sb;
struct mount *mnt = real_mount(path->mnt);
- if (!capable(CAP_SYS_ADMIN))
- return -EPERM;
-
if (!check_mnt(mnt))
return -EINVAL;
down_write(&sb->s_umount);
if (flags & MS_BIND)
err = change_mount_flags(path->mnt, flags);
+ else if (!capable(CAP_SYS_ADMIN))
+ err = -EPERM;
else
err = do_remount_sb(sb, flags, data, 0);
if (!err) {
struct path old_path, parent_path;
struct mount *p;
struct mount *old;
- int err = 0;
- if (!may_mount())
- return -EPERM;
+ int err;
if (!old_name || !*old_name)
return -EINVAL;
err = kern_path(old_name, LOOKUP_FOLLOW, &old_path);
if (!fstype)
return -EINVAL;
- if (!may_mount())
- return -EPERM;
-
type = get_fs_type(fstype);
if (!type)
return -ENODEV;
if (retval)
goto dput_out;
+ if (!may_mount())
+ return -EPERM;
+
/* Default to relatime unless overriden */
if (!(flags & MS_NOATIME))
mnt_flags |= MNT_RELATIME;
/* First pass: copy the tree topology */
copy_flags = CL_COPY_ALL | CL_EXPIRE;
if (user_ns != mnt_ns->user_ns)
- copy_flags |= CL_SHARED_TO_SLAVE;
+ copy_flags |= CL_SHARED_TO_SLAVE | CL_UNPRIVILEGED;
new = copy_tree(old, old->mnt.mnt_root, copy_flags);
if (IS_ERR(new)) {
up_write(&namespace_sem);
return check_mnt(real_mount(mnt));
}
+bool current_chrooted(void)
+{
+ /* Does the current process have a non-standard root */
+ struct path ns_root;
+ struct path fs_root;
+ bool chrooted;
+
+ /* Find the namespace root */
+ ns_root.mnt = ¤t->nsproxy->mnt_ns->root->mnt;
+ ns_root.dentry = ns_root.mnt->mnt_root;
+ path_get(&ns_root);
+ while (d_mountpoint(ns_root.dentry) && follow_down_one(&ns_root))
+ ;
+
+ get_fs_root(current->fs, &fs_root);
+
+ chrooted = !path_equal(&fs_root, &ns_root);
+
+ path_put(&fs_root);
+ path_put(&ns_root);
+
+ return chrooted;
+}
+
static void *mntns_get(struct task_struct *task)
{
struct mnt_namespace *ns = NULL;
projects / ~andy / linux / blobdiff