1 files changed, 33 insertions, 3 deletions
diff --git a/fs/namespace.c b/fs/namespace.c
index 1105a577a14f..dd9c93b5a9d5 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -890,8 +890,21 @@ static struct mount *clone_mnt(struct mount *old, struct dentry *root,
        mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~(MNT_WRITE_HOLD|MNT_MARKED);
        /* Don't allow unprivileged users to change mount flags */
-        if ((flag & CL_UNPRIVILEGED) && (mnt->mnt.mnt_flags & MNT_READONLY))
+        if (flag & CL_UNPRIVILEGED) {
-                mnt->mnt.mnt_flags |= MNT_LOCK_READONLY;
+                mnt->mnt.mnt_flags |= MNT_LOCK_ATIME;
+                if (mnt->mnt.mnt_flags & MNT_READONLY)
+                        mnt->mnt.mnt_flags |= MNT_LOCK_READONLY;
+                if (mnt->mnt.mnt_flags & MNT_NODEV)
+                        mnt->mnt.mnt_flags |= MNT_LOCK_NODEV;
+                if (mnt->mnt.mnt_flags & MNT_NOSUID)
+                        mnt->mnt.mnt_flags |= MNT_LOCK_NOSUID;
+                if (mnt->mnt.mnt_flags & MNT_NOEXEC)
+                        mnt->mnt.mnt_flags |= MNT_LOCK_NOEXEC;
+        }
        /* Don't allow unprivileged users to reveal what is under a mount */
        if ((flag & CL_UNPRIVILEGED) && list_empty(&old->mnt_expire))
@@ -1931,6 +1944,23 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
            !(mnt_flags & MNT_READONLY)) {
                return -EPERM;
        }
+        if ((mnt->mnt.mnt_flags & MNT_LOCK_NODEV) &&
+            !(mnt_flags & MNT_NODEV)) {
+                return -EPERM;
+        }
+        if ((mnt->mnt.mnt_flags & MNT_LOCK_NOSUID) &&
+            !(mnt_flags & MNT_NOSUID)) {
+                return -EPERM;
+        }
+        if ((mnt->mnt.mnt_flags & MNT_LOCK_NOEXEC) &&
+            !(mnt_flags & MNT_NOEXEC)) {
+                return -EPERM;
+        }
+        if ((mnt->mnt.mnt_flags & MNT_LOCK_ATIME) &&
+            ((mnt->mnt.mnt_flags & MNT_ATIME_MASK) != (mnt_flags & MNT_ATIME_MASK))) {
+                return -EPERM;
+        }
        err = security_sb_remount(sb, data);
        if (err)
                return err;
@@ -2129,7 +2159,7 @@ static int do_new_mount(struct path *path, const char *fstype, int flags,
                 */
                if (!(type->fs_flags & FS_USERNS_DEV_MOUNT)) {
                        flags |= MS_NODEV;
-                        mnt_flags |= MNT_NODEV;
+                        mnt_flags |= MNT_NODEV | MNT_LOCK_NODEV;
                }
        }

diff --git a/fs/namespace.c b/fs/namespace.c index 1105a577a14f..dd9c93b5a9d5 100644 --- a/fs/namespace.c +++ b/fs/namespace.c
@@ -890,8 +890,21 @@ static struct mount clone_mnt(struct mount old, struct dentry *root,
890		890
891	mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~(MNT_WRITE_HOLD\|MNT_MARKED);	891	mnt->mnt.mnt_flags = old->mnt.mnt_flags & ~(MNT_WRITE_HOLD\|MNT_MARKED);
892	/* Don't allow unprivileged users to change mount flags */	892	/* Don't allow unprivileged users to change mount flags */
893	if ((flag & CL_UNPRIVILEGED) && (mnt->mnt.mnt_flags & MNT_READONLY))	893	if (flag & CL_UNPRIVILEGED) {
894	mnt->mnt.mnt_flags \|= MNT_LOCK_READONLY;	894	mnt->mnt.mnt_flags \|= MNT_LOCK_ATIME;
		895
		896	if (mnt->mnt.mnt_flags & MNT_READONLY)
		897	mnt->mnt.mnt_flags \|= MNT_LOCK_READONLY;
		898
		899	if (mnt->mnt.mnt_flags & MNT_NODEV)
		900	mnt->mnt.mnt_flags \|= MNT_LOCK_NODEV;
		901
		902	if (mnt->mnt.mnt_flags & MNT_NOSUID)
		903	mnt->mnt.mnt_flags \|= MNT_LOCK_NOSUID;
		904
		905	if (mnt->mnt.mnt_flags & MNT_NOEXEC)
		906	mnt->mnt.mnt_flags \|= MNT_LOCK_NOEXEC;
		907	}
895		908
896	/* Don't allow unprivileged users to reveal what is under a mount */	909	/* Don't allow unprivileged users to reveal what is under a mount */
897	if ((flag & CL_UNPRIVILEGED) && list_empty(&old->mnt_expire))	910	if ((flag & CL_UNPRIVILEGED) && list_empty(&old->mnt_expire))
@@ -1931,6 +1944,23 @@ static int do_remount(struct path *path, int flags, int mnt_flags,
1931	!(mnt_flags & MNT_READONLY)) {	1944	!(mnt_flags & MNT_READONLY)) {
1932	return -EPERM;	1945	return -EPERM;
1933	}	1946	}
		1947	if ((mnt->mnt.mnt_flags & MNT_LOCK_NODEV) &&
		1948	!(mnt_flags & MNT_NODEV)) {
		1949	return -EPERM;
		1950	}
		1951	if ((mnt->mnt.mnt_flags & MNT_LOCK_NOSUID) &&
		1952	!(mnt_flags & MNT_NOSUID)) {
		1953	return -EPERM;
		1954	}
		1955	if ((mnt->mnt.mnt_flags & MNT_LOCK_NOEXEC) &&
		1956	!(mnt_flags & MNT_NOEXEC)) {
		1957	return -EPERM;
		1958	}
		1959	if ((mnt->mnt.mnt_flags & MNT_LOCK_ATIME) &&
		1960	((mnt->mnt.mnt_flags & MNT_ATIME_MASK) != (mnt_flags & MNT_ATIME_MASK))) {
		1961	return -EPERM;
		1962	}
		1963
1934	err = security_sb_remount(sb, data);	1964	err = security_sb_remount(sb, data);
1935	if (err)	1965	if (err)
1936	return err;	1966	return err;
@@ -2129,7 +2159,7 @@ static int do_new_mount(struct path path, const char fstype, int flags,
2129	*/	2159	*/
2130	if (!(type->fs_flags & FS_USERNS_DEV_MOUNT)) {	2160	if (!(type->fs_flags & FS_USERNS_DEV_MOUNT)) {
2131	flags \|= MS_NODEV;	2161	flags \|= MS_NODEV;
2132	mnt_flags \|= MNT_NODEV;	2162	mnt_flags \|= MNT_NODEV \| MNT_LOCK_NODEV;
2133	}	2163	}
2134	}	2164	}
2135		2165