vfs: Add a mount flag to lock read only bind mounts
When a read-only bind mount is copied from mount namespace in a higher privileged user namespace to a mount namespace in a lesser privileged user namespace, it should not be possible to remove the the read-only restriction. Add a MNT_LOCK_READONLY mount flag to indicate that a mount must remain read-only. CC: stable@vger.kernel.org Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
This commit is contained in:
Eric W. Biederman
parent
3151527ee0
commit
90563b198e
2 changed files with 5 additions and 0 deletions
|
|
@ -1713,6 +1713,9 @@ static int change_mount_flags(struct vfsmount *mnt, int ms_flags)
|
|||
if (readonly_request == __mnt_is_readonly(mnt))
|
||||
return 0;
|
||||
|
||||
if (mnt->mnt_flags & MNT_LOCK_READONLY)
|
||||
return -EPERM;
|
||||
|
||||
if (readonly_request)
|
||||
error = mnt_make_readonly(real_mount(mnt));
|
||||
else
|
||||
|
|
|
|||
|
|
@ -47,6 +47,8 @@ struct mnt_namespace;
|
|||
|
||||
#define MNT_INTERNAL 0x4000
|
||||
|
||||
#define MNT_LOCK_READONLY 0x400000
|
||||
|
||||
struct vfsmount {
|
||||
struct dentry *mnt_root; /* root of the mounted tree */
|
||||
struct super_block *mnt_sb; /* pointer to superblock */
|
||||
|
|
|
|||
Loading…
Reference in a new issue