Mount propagation operations in unprivileged user namespaces can bypass isolation. Add a pr_warn_once warning in mount(2) and mount_setattr(2) when MS_SHARED, MS_SLAVE, or MS_UNBINDABLE propagation flags are used without CAP_SYS_ADMIN. Document the warning in sharedsubtree.rst with an explanation why it is emitted and how to avoid it.
---
Documentation/filesystems/sharedsubtree.rst | 13 ++++++++++++-
fs/namespace.c | 17 +++++++++++++++++
2 files changed, 29 insertions(+), 1 deletion(-)
diff --git a/Documentation/filesystems/sharedsubtree.rst b/Documentation/filesystems/sharedsubtree.rst
index 1cf56489ed48..714f2ac1cdda 100644
--- a/Documentation/filesystems/sharedsubtree.rst
+++ b/Documentation/filesystems/sharedsubtree.rst
@@ -717,7 +717,18 @@ replicas continue to be exactly same.
mkdir -p /tmp/m1
- mount --rbind /root /tmp/m1
+ mount --rbind /root /tmp/m1
+
+ Q4. Why do I sometimes see a kernel warning when using --make-shared,
+ --make-slave, or --make-unbindable in an unprivileged user namespace?
+
+ In an unprivileged user namespace (where CAP_SYS_ADMIN is not held),
+ mount propagation operations can inadvertently bypass namespace
+ isolation by sharing mount events with other namespaces. To help
+ prevent subtle security or isolation issues, the kernel emits a
+ one-time warning (pr_warn_once) when it detects propagation flags
+ in such contexts. Avoid propagation flags or perform mounts in a
+ properly privileged namespace to suppress this warning.
the new tree now looks like this::
diff --git a/fs/namespace.c b/fs/namespace.c
index 54c59e091919..e2f3911c2878 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -4447,6 +4447,15 @@ SYSCALL_DEFINE5(mount, char __user *, dev_name, char __user *, dir_name,
if (IS_ERR(options))
goto out_data;
+ /*
+ * Warn when using mount propagation flags in an unprivileged user namespace.
+ * Propagation operations in an unprivileged namespace can bypass isolation.
+ */
+ if (!ns_capable(current_user_ns(), CAP_SYS_ADMIN) &&
+ (flags & (MS_SHARED | MS_SLAVE | MS_UNBINDABLE))) {
+ pr_warn_once("mount: unprivileged mount propagation may bypass namespace isolation\n");
+ }
+
ret = do_mount(kernel_dev, dir_name, kernel_type, flags, options);
kfree(options);
@@ -5275,6 +5284,14 @@ SYSCALL_DEFINE5(mount_setattr, int, dfd, const char __user *, path,
if (err <= 0)
return err;
+ /*
+ * Warn when changing mount propagation in an unprivileged user namespace.
+ */
+ if (!ns_capable(current_user_ns(), CAP_SYS_ADMIN) &&
+ (kattr.propagation & MOUNT_SETATTR_PROPAGATION_FLAGS)) {
+ pr_warn_once("mount: unprivileged mount propagation may bypass namespace isolation\n");
+ }
+
err = user_path_at(dfd, path, kattr.lookup_flags, &target);
if (!err) {
err = do_mount_setattr(&target, &kattr);
--
2.49.0
