move the capability checks from sget_userns() to legacy_get_tree()

1) all call chains leading to sget_userns() pass through ->mount()
instances.
2) none of ->mount() instances is ever called directly - the only
call site is legacy_get_tree()
3) all remaining ->mount() instances end up calling sget_userns()

IOW, we might as well do the capability checks just before calling
->mount().  As for the arguments passed to mount_capable(),
in case of call chains to sget_userns() going through sget(),
we either don't call mount_capable() at all, or pass current_user_ns()
to it.  The call chains going through mount_pseudo_xattr() don't
call mount_capable() at all (SB_KERNMOUNT in flags on those).

That could've been split into smaller steps (lifting the checks
into sget(), then callers of sget(), then all the way to the
entries of every ->mount() out there, then to the sole caller),
but that would be too much churn for little benefit...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

1 files changed, 5 insertions, 0 deletions

diff --git a/fs/fs_context.c b/fs/fs_context.c
index a47ccd5a4a78..746a5871959c 100644
--- a/fs/fs_context.c
+++ b/fs/fs_context.c
@@ -662,6 +662,11 @@ static int legacy_get_tree(struct fs_context *fc)
 	struct super_block *sb;
 	struct dentry *root;
 
+	if (!(fc->sb_flags & (SB_KERNMOUNT|SB_SUBMOUNT))) {
+		if (!mount_capable(fc->fs_type, current_user_ns()))
+			return -EPERM;
+	}
+
 	root = fc->fs_type->mount(fc->fs_type, fc->sb_flags,
 				      fc->source, ctx->legacy_data);
 	if (IS_ERR(root))