[PATCH 03/10] teach move_mount(2) to work with OPEN_TREE_CLONE

Alan Jenkins alan.christopher.jenkins at gmail.com
Tue Feb 26 17:45:59 UTC 2019

On 19/02/2019 17:08, David Howells wrote:
> Allow a detached tree created by open_tree(..., OPEN_TREE_CLONE) to be
> attached by move_mount(2).
> If by the time of final fput() of OPEN_TREE_CLONE-opened file its tree is
> not detached anymore, it won't be dissolved.  move_mount(2) is adjusted
> to handle detached source.
> That gives us equivalents of mount --bind and mount --rbind.

This is a bit ambiguous.  The two cases can be understood by analogy to 
bind / rbind.  But it is also seems natural, to think it could be used 
to implement the exact same thing as current `mount --bind` / 
`--rbind`.  I think it *does* now provide a full equivalence, right?

I was thinking about the case where mount propagation is enabled on the 
source tree, i.e. it is not a private mount.  Suppose a new mount is 
added inside the source tree, between open_tree() and move_mount().

In the previous version of the patch series, Eric suggested there was a 
NULL dereference in this scenario.[1]  This version should be safe.  I 
think the new mount will be propagated to the cloned tree. Furthermore - 
due to the way this version uses a temporary mount namespace - the 
propagated version of the mount will not be locked by 

[1] https://lore.kernel.org/lkml/87bm7n5k1r.fsf@xmission.com/

It looks very neat now, with the use of the temporary namespaces. 
Congratulations :-).  I have finished looking through these patches 1-3 now.

> Thanks also to Alan Jenkins<alan.christopher.jenkins at gmail.com>  for
> providing a whole bunch of ways to break things using this interface.
> Signed-off-by: Al Viro<viro at zeniv.linux.org.uk>
> Signed-off-by: David Howells<dhowells at redhat.com>
> Signed-off-by: Al Viro<viro at zeniv.linux.org.uk>
P.S. I guess Al does not need two Signed-off-by lines here.


More information about the Linux-security-module-archive mailing list