On Sat, Aug 16, 2025 at 12:35:24AM +0100, Al Viro wrote: > do_change_type() and do_set_group() are operating on different > aspects of the same thing - propagation graph. The latter > asks for mounts involved to be mounted in namespace(s) the caller > has CAP_SYS_ADMIN for. The former is a mess - originally it > didn't even check that mount *is* mounted. That got fixed, > but the resulting check turns out to be too strict for userland - > in effect, we check that mount is in our namespace, having already > checked that we have CAP_SYS_ADMIN there. > > What we really need (in both cases) is > * we only touch mounts that are mounted. Hard requirement, > data corruption if that's get violated. > * we don't allow to mess with a namespace unless you already > have enough permissions to do so (i.e. CAP_SYS_ADMIN in its userns). > > That's an equivalent of what do_set_group() does; let's extract that > into a helper (may_change_propagation()) and use it in both > do_set_group() and do_change_type(). > > Fixes: 12f147ddd6de "do_change_type(): refuse to operate on unmounted/not ours mounts" > Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx> > --- Reviewed-by: Christian Brauner <brauner@xxxxxxxxxx>
