clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns

Al Viro · Al Viro · commit c28f922c9dce · 2025-06-07T01:37:24.000-04:00
What we want is to verify there is that clone won't expose something hidden by a mount we wouldn't be able to undo. "Wouldn't be able to undo" may be a result of MNT_LOCKED on a child, but it may also come from lacking admin rights in the userns of the namespace mount belongs to. clone_private_mnt() checks the former, but not the latter. There's a number of rather confusing CAP_SYS_ADMIN checks in various userns during the mount, especially with the new mount API; they serve different purposes and in case of clone_private_mnt() they usually, but not always end up covering the missing check mentioned above. Reviewed-by: Christian Brauner <brauner@kernel.org> Reported-by: "Orlando, Noah" <Noah.Orlando@deshaw.com> Fixes: 427215d ("ovl: prevent private clone if bind mount is not allowed") Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
diff --git a/fs/namespace.c b/fs/namespace.c
@@ -2510,6 +2510,9 @@ struct vfsmount *clone_private_mount(const struct path *path)
 			return ERR_PTR(-EINVAL);
 	}
 
+        if (!ns_capable(old_mnt->mnt_ns->user_ns, CAP_SYS_ADMIN))
+		return ERR_PTR(-EPERM);
+
 	if (__has_locked_children(old_mnt, path->dentry))
 		return ERR_PTR(-EINVAL);
 

Original file line number	Diff line number	Diff line change
`@@ -2510,6 +2510,9 @@ struct vfsmount clone_private_mount(const struct path path)`
`2510`	`2510`	`return ERR_PTR(-EINVAL);`
`2511`	`2511`	`}`
`2512`	`2512`
	`2513`	`+ if (!ns_capable(old_mnt->mnt_ns->user_ns, CAP_SYS_ADMIN))`
	`2514`	`+ return ERR_PTR(-EPERM);`
	`2515`	`+`
`2513`	`2516`	`if (__has_locked_children(old_mnt, path->dentry))`
`2514`	`2517`	`return ERR_PTR(-EINVAL);`
`2515`	`2518`