lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <53DBF99D.1050803@gentoo.org>
Date:	Fri, 01 Aug 2014 16:33:33 -0400
From:	Richard Yao <ryao@...too.org>
To:	Mateusz Guzik <mguzik@...hat.com>
CC:	kernel@...too.org, mthode@...ode.org, michael@...-team.de,
	drobbins@...too.org, viro@...iv.linux.org.uk,
	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 1/1] vfs: Respect MS_RDONLY at bind mount creation

On 08/01/2014 03:20 PM, Mateusz Guzik wrote:
> On Fri, Aug 01, 2014 at 02:12:24PM -0400, Richard Yao wrote:
>> `mount -o bind,ro ...` suffers from a silent failure where the readonly
>> flag is ignored. The bind mount will be created rw whenever the target
>> is rw. Users typically workaround this by remounting readonly, but that
>> does not work when you want to define readonly bind mounts in fstab.
>> This is a major annoyance when dealing with recursive bind mounts
>> because the userland mount command does not expose the option to
>> recursively remount a subtree as readonly.
>>
>> Signed-off-by: Richard Yao <ryao@...too.org>
>> ---
>>  fs/namespace.c | 12 +++++++++---
>>  1 file changed, 9 insertions(+), 3 deletions(-)
>>
>> diff --git a/fs/namespace.c b/fs/namespace.c
>> index 182bc41..0d23525 100644
>> --- a/fs/namespace.c
>> +++ b/fs/namespace.c
>> @@ -1827,11 +1827,12 @@ static bool has_locked_children(struct mount *mnt, struct dentry *dentry)
>>   * do loopback mount.
>>   */
>>  static int do_loopback(struct path *path, const char *old_name,
>> -				int recurse)
>> +				unsigned long flags)
>>  {
>>  	struct path old_path;
>> -	struct mount *mnt = NULL, *old, *parent;
>> +	struct mount *mnt = NULL, *old, *parent, *m;
>>  	struct mountpoint *mp;
>> +	int recurse = flags & MS_REC;
>>  	int err;
>>  	if (!old_name || !*old_name)
>>  		return -EINVAL;
>> @@ -1871,6 +1872,10 @@ static int do_loopback(struct path *path, const char *old_name,
>>  		goto out2;
>>  	}
>>  
>> +	if (flags & MS_RDONLY)
>> +		for (m = mnt; m; m = (recurse ? next_mnt(m, mnt) : NULL))
>> +			mnt_make_readonly(m);
>> +
>>  	mnt->mnt.mnt_flags &= ~MNT_LOCKED;
>>  
>>  	err = graft_tree(mnt, parent, mp);
>> @@ -2444,7 +2449,8 @@ long do_mount(const char *dev_name, const char *dir_name,
>>  		retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
>>  				    data_page);
>>  	else if (flags & MS_BIND)
>> -		retval = do_loopback(&path, dev_name, flags & MS_REC);
>> +		retval = do_loopback(&path, dev_name, flags & (MS_REC |
>> +							       MS_RDONLY));
>>  	else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE | MS_UNBINDABLE))
>>  		retval = do_change_type(&path, flags);
>>  	else if (flags & MS_MOVE)
> 
> I don't really know this code, but have to ask.
> 
> Would not it be much better to pass down info about rdonly request to
> copy_tree/clone_mnt (perhaps CL_MOUNT_RDONLY flag or a separate flags
> argument) and handle it there?
> 
> This would avoid fishy-looking traversal before graft_tree, which even
> if correct should not be necessary.
> 

I have a nagging feeling that people doing backports will hate me for
adding a power of 2 plus 1 bit, but your suggestion makes this more
readable. I will send v3 after I finish my regression tests.


Download attachment "signature.asc" of type "application/pgp-signature" (885 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ