Merge: CVE-2025-38498 fix permission checks for mount propagation change

CKI KWF Bot · CKI KWF Bot · commit b29b29c0fe54 · 2025-09-26T00:13:34.000Z
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/7292 JIRA: https://issues.redhat.com/browse/RHEL-107304 CVE: CVE-2025-38498 An inconsistent application of capabilities checking was discovered in the kernel. An initial patch was proposed and merged but regressions were reported. An additional patch was posted that makes this permission checking consistent over the two areas it's used and eliminates the regression. The risk was that the reported regression would almost certainly have serious affects for our container products (at the least) so we needed to wait for this second patch. It's still possible this change will introduce a regression because it adds a capability check. But this check is to ensure the process making the propagation type change has the appropriate capability to do so and that should be the case. Signed-off-by: Ian Kent <ikent@redhat.com> Approved-by: Miklos Szeredi <mszeredi@redhat.com> Approved-by: Brian Foster <bfoster@redhat.com> Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> Merged-by: CKI GitLab Kmaint Pipeline Bot <26919896-cki-kmaint-pipeline-bot@users.noreply.gitlab.com>
diff --git a/fs/namespace.c b/fs/namespace.c
@@ -2311,6 +2311,19 @@ static int graft_tree(struct mount *mnt, struct mount *p, struct mountpoint *mp)
 	return attach_recursive_mnt(mnt, p, mp, false);
 }
 
+static int may_change_propagation(const struct mount *m)
+{
+        struct mnt_namespace *ns = m->mnt_ns;
+
+	 // it must be mounted in some namespace
+	 if (IS_ERR_OR_NULL(ns))         // is_mounted()
+		 return -EINVAL;
+	 // and the caller must be admin in userns of that namespace
+	 if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN))
+		 return -EPERM;
+	 return 0;
+}
+
 /*
  * Sanity check the flags to change_mnt_propagation.
  */
@@ -2347,6 +2360,10 @@ static int do_change_type(struct path *path, int ms_flags)
 		return -EINVAL;
 
 	namespace_lock();
+	err = may_change_propagation(mnt);
+	if (err)
+		goto out_unlock;
+
 	if (type == MS_SHARED) {
 		err = invent_group_ids(mnt, recurse);
 		if (err)
