1. Patchew
  2. linux
  3. View series

[PATCH AUTOSEL 5.10] umount: Allow superblock owners to force umount

Sasha Levin posted 1 patch 8 months, 3 weeks ago 
fs/namespace.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
[PATCH AUTOSEL 5.10] umount: Allow superblock owners to force umount
Posted by Sasha Levin 8 months, 3 weeks ago 
From: Trond Myklebust <trond.myklebust@hammerspace.com>

[ Upstream commit e1ff7aa34dec7e650159fd7ca8ec6af7cc428d9f ]

Loosen the permission check on forced umount to allow users holding
CAP_SYS_ADMIN privileges in namespaces that are privileged with respect
to the userns that originally mounted the filesystem.

Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Link: https://lore.kernel.org/r/12f212d4ef983714d065a6bb372fbb378753bf4c.1742315194.git.trond.myklebust@hammerspace.com
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/namespace.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/namespace.c b/fs/namespace.c
index 7e67db7456b3d..2f97112657adc 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1716,6 +1716,7 @@ static inline bool may_mandlock(void)
 static int can_umount(const struct path *path, int flags)
 {
 	struct mount *mnt = real_mount(path->mnt);
+	struct super_block *sb = path->dentry->d_sb;
 
 	if (!may_mount())
 		return -EPERM;
@@ -1725,7 +1726,7 @@ static int can_umount(const struct path *path, int flags)
 		return -EINVAL;
 	if (mnt->mnt.mnt_flags & MNT_LOCKED) /* Check optimistically */
 		return -EINVAL;
-	if (flags & MNT_FORCE && !capable(CAP_SYS_ADMIN))
+	if (flags & MNT_FORCE && !ns_capable(sb->s_user_ns, CAP_SYS_ADMIN))
 		return -EPERM;
 	return 0;
 }
-- 
2.39.5
Re: [PATCH AUTOSEL 5.10] umount: Allow superblock owners to force umount
Posted by Pavel Machek 8 months ago 
Hi!

> From: Trond Myklebust <trond.myklebust@hammerspace.com>
> 
> [ Upstream commit e1ff7aa34dec7e650159fd7ca8ec6af7cc428d9f ]
> 
> Loosen the permission check on forced umount to allow users holding
> CAP_SYS_ADMIN privileges in namespaces that are privileged with respect
> to the userns that originally mounted the filesystem.

Should we be tweaking permissions in -stable?

Best regards,
								Pavel

-- 
I don't work for Nazis and criminals, and neither should you.
Boycott Putin, Trump, and Musk!
Re: [PATCH AUTOSEL 5.10] umount: Allow superblock owners to force umount
Posted by Christian Brauner 8 months ago 
On Fri, Apr 18, 2025 at 06:51:38PM +0200, Pavel Machek wrote:
> Hi!
> 
> > From: Trond Myklebust <trond.myklebust@hammerspace.com>
> > 
> > [ Upstream commit e1ff7aa34dec7e650159fd7ca8ec6af7cc428d9f ]
> > 
> > Loosen the permission check on forced umount to allow users holding
> > CAP_SYS_ADMIN privileges in namespaces that are privileged with respect
> > to the userns that originally mounted the filesystem.
> 
> Should we be tweaking permissions in -stable?

Seems fine to me if you'd backport it.

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.