umount: Allow superblock owners to force umount

Message ID	12f212d4ef983714d065a6bb372fbb378753bf4c.1742315194.git.trond.myklebust@hammerspace.com (mailing list archive)
State	New
Headers	show Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DF0CF212D6A; Tue, 18 Mar 2025 16:29:22 +0000 (UTC) From: trondmy@kernel.org To: Christian Brauner <brauner@kernel.org> Cc: Alexander Viro <viro@zeniv.linux.org.uk>, Jan Kara <jack@suse.cz>, "Eric W . Biederman" <ebiederm@xmission.com>, linux-fsdevel@vger.kernel.org, linux-nfs@vger.kernel.org Subject: [PATCH] umount: Allow superblock owners to force umount Date: Tue, 18 Mar 2025 12:29:21 -0400 Message-ID: <12f212d4ef983714d065a6bb372fbb378753bf4c.1742315194.git.trond.myklebust@hammerspace.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	umount: Allow superblock owners to force umount \| expand umount: Allow superblock owners to force umount

Message ID

12f212d4ef983714d065a6bb372fbb378753bf4c.1742315194.git.trond.myklebust@hammerspace.com (mailing list archive)

State

New

Headers

From: trondmy@kernel.org
To: Christian Brauner <brauner@kernel.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
	Jan Kara <jack@suse.cz>,
	"Eric W . Biederman" <ebiederm@xmission.com>,
	linux-fsdevel@vger.kernel.org,
	linux-nfs@vger.kernel.org
Subject: [PATCH] umount: Allow superblock owners to force umount
Date: Tue, 18 Mar 2025 12:29:21 -0400
Message-ID: 
 <12f212d4ef983714d065a6bb372fbb378753bf4c.1742315194.git.trond.myklebust@hammerspace.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

umount: Allow superblock owners to force umount | expand

Commit Message

Trond Myklebust March 18, 2025, 4:29 p.m. UTC

From: Trond Myklebust <trond.myklebust@hammerspace.com>

Loosen the permission check on forced umount to allow users holding
CAP_SYS_ADMIN privileges in namespaces that are privileged with respect
to the userns that originally mounted the filesystem.

Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
---
 fs/namespace.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Eric W. Biederman March 18, 2025, 8:12 p.m. UTC | #1

trondmy@kernel.org writes:

> From: Trond Myklebust <trond.myklebust@hammerspace.com>
>
> Loosen the permission check on forced umount to allow users holding
> CAP_SYS_ADMIN privileges in namespaces that are privileged with respect
> to the userns that originally mounted the filesystem.

Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>

Semantically this seems reasonable.  I think forced umounts just got
overlooked when I was relaxing the other permission checks, to allow
things if you own the superblock.

The code has already checked you have permissions on the current mount
namespace.  Which was my immediate concern looking at the code.

Eric

> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
> ---
>  fs/namespace.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/namespace.c b/fs/namespace.c
> index 8f1000f9f3df..d401486fe95d 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -2026,6 +2026,7 @@ static void warn_mandlock(void)
>  static int can_umount(const struct path *path, int flags)
>  {
>  	struct mount *mnt = real_mount(path->mnt);
> +	struct super_block *sb = path->dentry->d_sb;
>  
>  	if (!may_mount())
>  		return -EPERM;
> @@ -2035,7 +2036,7 @@ static int can_umount(const struct path *path, int flags)
>  		return -EINVAL;
>  	if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */
>  		return -EINVAL;
> -	if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))
> +	if (flags & MNT_FORCE && !ns_capable(sb->s_user_ns, CAP_SYS_ADMIN))
>  		return -EPERM;
>  	return 0;
>  }

Christian Brauner March 19, 2025, 8:19 a.m. UTC | #2

On Tue, 18 Mar 2025 12:29:21 -0400, trondmy@kernel.org wrote:
> Loosen the permission check on forced umount to allow users holding
> CAP_SYS_ADMIN privileges in namespaces that are privileged with respect
> to the userns that originally mounted the filesystem.
> 
> 

Sensible.

---

Applied to the vfs-6.15.mount branch of the vfs/vfs.git tree.
Patches in the vfs-6.15.mount branch should appear in linux-next soon.

Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.

It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.

Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs-6.15.mount

[1/1] umount: Allow superblock owners to force umount
      https://git.kernel.org/vfs/vfs/c/e1ff7aa34dec

Jeff Layton March 19, 2025, 9:53 p.m. UTC | #3

On Tue, 2025-03-18 at 12:29 -0400, trondmy@kernel.org wrote:
> From: Trond Myklebust <trond.myklebust@hammerspace.com>
> 
> Loosen the permission check on forced umount to allow users holding
> CAP_SYS_ADMIN privileges in namespaces that are privileged with respect
> to the userns that originally mounted the filesystem.
> 
> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
> ---
>  fs/namespace.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/namespace.c b/fs/namespace.c
> index 8f1000f9f3df..d401486fe95d 100644
> --- a/fs/namespace.c
> +++ b/fs/namespace.c
> @@ -2026,6 +2026,7 @@ static void warn_mandlock(void)
>  static int can_umount(const struct path *path, int flags)
>  {
>  	struct mount *mnt = real_mount(path->mnt);
> +	struct super_block *sb = path->dentry->d_sb;
>  
>  	if (!may_mount())
>  		return -EPERM;
> @@ -2035,7 +2036,7 @@ static int can_umount(const struct path *path, int flags)
>  		return -EINVAL;
>  	if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */
>  		return -EINVAL;
> -	if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))
> +	if (flags & MNT_FORCE && !ns_capable(sb->s_user_ns, CAP_SYS_ADMIN))
>  		return -EPERM;
>  	return 0;
>  }

Reviewed-by: Jeff Layton <jlayton@kernel.org>

diff --git a/fs/namespace.c b/fs/namespace.c
index 8f1000f9f3df..d401486fe95d 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2026,6 +2026,7 @@  static void warn_mandlock(void)
 static int can_umount(const struct path *path, int flags)
 {
 	struct mount *mnt = real_mount(path->mnt);
+	struct super_block *sb = path->dentry->d_sb;
 
 	if (!may_mount())
 		return -EPERM;
@@ -2035,7 +2036,7 @@  static int can_umount(const struct path *path, int flags)
 		return -EINVAL;
 	if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */
 		return -EINVAL;
-	if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))
+	if (flags & MNT_FORCE && !ns_capable(sb->s_user_ns, CAP_SYS_ADMIN))
 		return -EPERM;
 	return 0;
 }