git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Christian Brauner <brauner@kernel.org>
	Tue, 24 Feb 2026 00:40:27 +0000 (01:40 +0100)
committer	Christian Brauner <brauner@kernel.org>
	Thu, 12 Mar 2026 12:34:59 +0000 (13:34 +0100)
commit	ccfac16e0be52b674ac04fb5ba88c643f76ae0e1
tree	e2eb2b75d5987c02e7b8d5a205f613076bb79857	tree \| snapshot
parent	c62a4766937edec2962d52e583276b459b739f2d	commit \| diff

move_mount: allow MOVE_MOUNT_BENEATH on the rootfs

Allow MOVE_MOUNT_BENEATH to target the caller's rootfs. When the target
of a mount-beneath operation is the caller's root mount, verify that:

(1) The caller is located at the root of the mount, as enforced by
    path_mounted() in do_lock_mount().
(2) Propagation from the parent mount would not overmount the target,
    to avoid propagating beneath the rootfs of other mount namespaces.

The root-switching is decomposed into individually atomic, locally-scoped
steps: mount-beneath inserts the new root under the old one, chroot(".")
switches the caller's root, and umount2(".", MNT_DETACH) removes the old
root. Since each step only modifies the caller's own state, this avoids
cross-namespace vulnerabilities and inherent fork/unshare/setns races
that a chroot_fs_refs()-based approach would have.

Userspace can use the following workflow to switch roots:

    fd_tree = open_tree(-EBADF, "/newroot",
                        OPEN_TREE_CLONE | OPEN_TREE_CLOEXEC);
    fchdir(fd_tree);
    move_mount(fd_tree, "", AT_FDCWD, "/",
               MOVE_MOUNT_BENEATH | MOVE_MOUNT_F_EMPTY_PATH);
    chroot(".");
    umount2(".", MNT_DETACH);

Link: https://patch.msgid.link/20260224-work-mount-beneath-rootfs-v1-2-8c58bf08488f@kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>