From: Karel Zak <kzak@redhat.com>
Date: Wed, 27 May 2026 10:20:06 +0000 (+0200)
Subject: libmount: restrict X-mount.subdir for non-root to Linux >= 6.15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bde660dd7e3bab40771bffd5ff654b3e0a71cd16;p=thirdparty%2Futil-linux.git

libmount: restrict X-mount.subdir for non-root to Linux >= 6.15

The old-kernel subdir path uses namespace unsharing and string-based
move_mount() which is unsafe for restricted users (TOCTOU).  The safe
detached subdir open requires Linux >= 6.15.

Signed-off-by: Karel Zak <kzak@redhat.com>
---

diff --git a/libmount/src/hook_subdir.c b/libmount/src/hook_subdir.c
index 030f80ed0..07663db4c 100644
--- a/libmount/src/hook_subdir.c
+++ b/libmount/src/hook_subdir.c
@@ -345,6 +345,12 @@ static int hook_mount_pre(
 	}
 #endif
 
+	if (mnt_context_target_fd_required(cxt)) {
+		DBG_OBJ(HOOK, hs, ul_debug(
+			"subdir mount refused for non-root user (kernel < 6.15)"));
+		return -ENOTSUP;
+	}
+
 	/* create unhared temporary target */
 	hsd->org_target = strdup(mnt_fs_get_target(cxt->fs));
 	if (!hsd->org_target)
diff --git a/sys-utils/mount.8.adoc b/sys-utils/mount.8.adoc
index 48461b07b..c600723d9 100644
--- a/sys-utils/mount.8.adoc
+++ b/sys-utils/mount.8.adoc
@@ -806,6 +806,8 @@ For now, this feature is implemented by a temporary filesystem root-directory mo
 +
 Note that this feature will not work in session with an unshared private mount namespace (after *unshare --mount*) on old kernels or with *mount*(8) without support for file-descriptors-based mount kernel API. In this case, you need *unshare --mount --propagation shared*.
 +
+For unprivileged (non-root) users, this feature requires Linux >= 6.15 where the subdirectory is opened directly on the detached mount tree.
++
 This feature is EXPERIMENTAL.
 
 *X-mount.owner*=_username_|_UID_, *X-mount.group*=_group_|_GID_::