Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v3.13-rc5 2013-11-09T05:16:19+00:00 2013-11-09T05:16:19+00:00 Al Viro viro@zeniv.linux.org.uk 2013-09-30T02:06:07+00:00 urn:sha1:48a066e72d970a3e225a9c18690d570c736fc455 * RCU-delayed freeing of vfsmounts * vfsmount_lock replaced with a seqlock (mount_lock) * sequence number from mount_lock is stored in nameidata->m_seq and used when we exit RCU mode * new vfsmount flag - MNT_SYNC_UMOUNT. Set by umount_tree() when its caller knows that vfsmount will have no surviving references. * synchronize_rcu() done between unlocking namespace_sem in namespace_unlock() and doing pending mntput(). * new helper: legitimize_mnt(mnt, seq). Checks the mount_lock sequence number against seq, then grabs reference to mnt. Then it rechecks mount_lock again to close the race and either returns success or drops the reference it has acquired. The subtle point is that in case of MNT_SYNC_UMOUNT we can simply decrement the refcount and sod off - aforementioned synchronize_rcu() makes sure that final mntput() won't come until we leave RCU mode. We need that, since we don't want to end up with some lazy pathwalk racing with umount() and stealing the final mntput() from it - caller of umount() may expect it to return only once the fs is shut down and we don't want to break that. In other cases (i.e. with MNT_SYNC_UMOUNT absent) we have to do full-blown mntput() in case of mount_lock sequence number mismatch happening just as we'd grabbed the reference, but in those cases we won't be stealing the final mntput() from anything that would care. * mntput_no_expire() doesn't lock anything on the fast path now. Incidentally, SMP and UP cases are handled the same way - no ifdefs there. * normal pathname resolution does *not* do any writes to mount_lock. It does, of course, bump the refcounts of vfsmount and dentry in the very end, but that's it. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2013-07-24T16:14:46+00:00 Eric W. Biederman ebiederm@xmission.com 2013-03-30T04:04:39+00:00 urn:sha1:5ff9d8a65ce80efb509ce4e8051394e9ed2cd942 When creating a less privileged mount namespace or propogating mounts from a more privileged to a less privileged mount namespace lock the submounts so they may not be unmounted individually in the child mount namespace revealing what is under them. This enforces the reasonable expectation that it is not possible to see under a mount point. Most of the time mounts are on empty directories and revealing that does not matter, however I have seen an occassionaly sloppy configuration where there were interesting things concealed under a mount point that probably should not be revealed. Expirable submounts are not locked because they will eventually unmount automatically so whatever is under them already needs to be safe for unprivileged users to access. From a practical standpoint these restrictions do not appear to be significant for unprivileged users of the mount namespace. Recursive bind mounts and pivot_root continues to work, and mounts that are created in a mount namespace may be unmounted there. All of which means that the common idiom of keeping a directory of interesting files and using pivot_root to throw everything else away continues to work just fine. Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Acked-by: Andy Lutomirski <luto@amacapital.net> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> 2013-03-27T14:50:04+00:00 Eric W. Biederman ebiederm@xmission.com 2013-03-22T10:10:15+00:00 urn:sha1:90563b198e4c6674c63672fae1923da467215f45 When a read-only bind mount is copied from mount namespace in a higher privileged user namespace to a mount namespace in a lesser privileged user namespace, it should not be possible to remove the the read-only restriction. Add a MNT_LOCK_READONLY mount flag to indicate that a mount must remain read-only. CC: stable@vger.kernel.org Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> 2012-01-04T03:57:12+00:00 Al Viro viro@zeniv.linux.org.uk 2011-11-25T07:35:16+00:00 urn:sha1:c63181e6b6df89176b3984c6977bb5ec03d0df23 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2012-01-04T03:57:11+00:00 Al Viro viro@zeniv.linux.org.uk 2011-11-25T07:25:17+00:00 urn:sha1:52ba1621de1479ce7e52b6d167860462e483313c Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2012-01-04T03:57:11+00:00 Al Viro viro@zeniv.linux.org.uk 2011-11-25T07:19:55+00:00 urn:sha1:1a4eeaf2a8c07404e2d1c3ff99b393fd4c207170 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2012-01-04T03:57:10+00:00 Al Viro viro@zeniv.linux.org.uk 2011-11-25T05:57:42+00:00 urn:sha1:863d684f946eb240c7dd57d265d88315950ca5cc Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2012-01-04T03:57:10+00:00 Al Viro viro@zeniv.linux.org.uk 2011-11-25T05:50:41+00:00 urn:sha1:15169fe784a9846b24cdb0840329d41aebc23249 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2012-01-04T03:57:09+00:00 Al Viro viro@zeniv.linux.org.uk 2011-11-25T05:46:35+00:00 urn:sha1:143c8c91cee7efdd732ec5f61b3471fc46192f20 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2012-01-04T03:57:08+00:00 Al Viro viro@zeniv.linux.org.uk 2011-11-25T05:22:05+00:00 urn:sha1:6776db3d32b2a59198ec7ac6d32be0b9fdbd8a68 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>