diff options
author | Valerie Aurora <vaurora@redhat.com> | 2010-08-26 14:07:22 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-09-07 16:46:20 -0400 |
commit | 7a2e8a8faab76386d8eaae9ded739ee5615be174 (patch) | |
tree | 404b9c185f32e3e6ef871bb85c217314e4aff3e8 /fs/namespace.c | |
parent | 2bfc96a127bc1cc94d26bfaa40159966064f9c8c (diff) |
VFS: Sanity check mount flags passed to change_mnt_propagation()
Sanity check the flags passed to change_mnt_propagation(). Exactly
one flag should be set. Return EINVAL otherwise.
Userspace can pass in arbitrary combinations of MS_* flags to mount().
do_change_type() is called if any of MS_SHARED, MS_PRIVATE, MS_SLAVE,
or MS_UNBINDABLE is set. do_change_type() clears MS_REC and then
calls change_mnt_propagation() with the rest of the user-supplied
flags. change_mnt_propagation() clearly assumes only one flag is set
but do_change_type() does not check that this is true. For example,
mount() with flags MS_SHARED | MS_RDONLY does not actually make the
mount shared or read-only but does clear MNT_UNBINDABLE.
Signed-off-by: Valerie Aurora <vaurora@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/namespace.c')
-rw-r--r-- | fs/namespace.c | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/fs/namespace.c b/fs/namespace.c index de402eb6eafb..a72eaabfe8f2 100644 --- a/fs/namespace.c +++ b/fs/namespace.c | |||
@@ -1484,13 +1484,30 @@ out_unlock: | |||
1484 | } | 1484 | } |
1485 | 1485 | ||
1486 | /* | 1486 | /* |
1487 | * Sanity check the flags to change_mnt_propagation. | ||
1488 | */ | ||
1489 | |||
1490 | static int flags_to_propagation_type(int flags) | ||
1491 | { | ||
1492 | int type = flags & ~MS_REC; | ||
1493 | |||
1494 | /* Fail if any non-propagation flags are set */ | ||
1495 | if (type & ~(MS_SHARED | MS_PRIVATE | MS_SLAVE | MS_UNBINDABLE)) | ||
1496 | return 0; | ||
1497 | /* Only one propagation flag should be set */ | ||
1498 | if (!is_power_of_2(type)) | ||
1499 | return 0; | ||
1500 | return type; | ||
1501 | } | ||
1502 | |||
1503 | /* | ||
1487 | * recursively change the type of the mountpoint. | 1504 | * recursively change the type of the mountpoint. |
1488 | */ | 1505 | */ |
1489 | static int do_change_type(struct path *path, int flag) | 1506 | static int do_change_type(struct path *path, int flag) |
1490 | { | 1507 | { |
1491 | struct vfsmount *m, *mnt = path->mnt; | 1508 | struct vfsmount *m, *mnt = path->mnt; |
1492 | int recurse = flag & MS_REC; | 1509 | int recurse = flag & MS_REC; |
1493 | int type = flag & ~MS_REC; | 1510 | int type; |
1494 | int err = 0; | 1511 | int err = 0; |
1495 | 1512 | ||
1496 | if (!capable(CAP_SYS_ADMIN)) | 1513 | if (!capable(CAP_SYS_ADMIN)) |
@@ -1499,6 +1516,10 @@ static int do_change_type(struct path *path, int flag) | |||
1499 | if (path->dentry != path->mnt->mnt_root) | 1516 | if (path->dentry != path->mnt->mnt_root) |
1500 | return -EINVAL; | 1517 | return -EINVAL; |
1501 | 1518 | ||
1519 | type = flags_to_propagation_type(flag); | ||
1520 | if (!type) | ||
1521 | return -EINVAL; | ||
1522 | |||
1502 | down_write(&namespace_sem); | 1523 | down_write(&namespace_sem); |
1503 | if (type == MS_SHARED) { | 1524 | if (type == MS_SHARED) { |
1504 | err = invent_group_ids(mnt, recurse); | 1525 | err = invent_group_ids(mnt, recurse); |