nstree: tighten permission checks for listing

Even privileged services should not necessarily be able to see other
privileged service's namespaces so they can't leak information to each
other. Use may_see_all_namespaces() helper that centralizes this policy
until the nstree adapts.

Link: https://patch.msgid.link/20260226-work-visibility-fixes-v1-3-d2c2853313bd@kernel.org
Fixes: 76b6f5dfb3fd ("nstree: add listns()")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Cc: stable@kernel.org # v6.19+
Signed-off-by: Christian Brauner <brauner@kernel.org>

diff --git a/kernel/nstree.c b/kernel/nstree.c
index f36c59e6951dc05bd194c02829c336b53d00e7ee..6d12e5900ac0156b6f63d948344125cf61a5634c 100644 (file)
--- a/kernel/nstree.c
+++ b/kernel/nstree.c
@@ -515,32 +515,11 @@ static inline bool __must_check ns_requested(const struct klistns *kls,
 static inline bool __must_check may_list_ns(const struct klistns *kls,
                                            struct ns_common *ns)
 {
-       if (kls->user_ns) {
-               if (kls->userns_capable)
-                       return true;
-       } else {
-               struct ns_common *owner;
-               struct user_namespace *user_ns;
-
-               owner = ns_owner(ns);
-               if (owner)
-                       user_ns = to_user_ns(owner);
-               else
-                       user_ns = &init_user_ns;
-               if (ns_capable_noaudit(user_ns, CAP_SYS_ADMIN))
-                       return true;
-       }
-
-       if (is_current_namespace(ns))
+       if (kls->user_ns && kls->userns_capable)
                return true;
-
-       if (ns->ns_type != CLONE_NEWUSER)
-               return false;
-
-       if (ns_capable_noaudit(to_user_ns(ns), CAP_SYS_ADMIN))
+       if (is_current_namespace(ns))
                return true;
-
-       return false;
+       return may_see_all_namespaces();
 }
 
 static inline void ns_put(struct ns_common *ns)
@@ -600,7 +579,7 @@ static ssize_t do_listns_userns(struct klistns *kls)
 
        ret = 0;
        head = &to_ns_common(kls->user_ns)->ns_owner_root.ns_list_head;
-       kls->userns_capable = ns_capable_noaudit(kls->user_ns, CAP_SYS_ADMIN);
+       kls->userns_capable = may_see_all_namespaces();
 
        rcu_read_lock();