Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp7128494ybi;
        Thu, 13 Jun 2019 10:03:43 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyYteO6c96PxQwTTdxXqUAD91kHzfr/+E4nyX8o8zVwJ3p5Opb+KOlKBl3eHXtmKWyp5Xma
X-Received: by 2002:a17:902:b58f:: with SMTP id a15mr88226919pls.201.1560445423592;
        Thu, 13 Jun 2019 10:03:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1560445423; cv=none;
        d=google.com; s=arc-20160816;
        b=H3Rm4bq9o4EWJZZ1z2X7GiGcqMqHesaPd+4TXdMgt+u4zJB+WeugXh+FHO0eo+R46W
         r5jGJs4zM9x6uW6qLmD8ejpjMU4r4eNnnwsMxw9Jpv6+zoLHEk44HWRh6DzWxWez7p9u
         7r6WnCWtBkSluGLxiL5VScgLpuREzKlnxsUW3IZfobWHcWGyjrUu5gunlhg/wmhRErLt
         vtWwtv5X1ySdSqdboijL+5UqmM8pYoBbHi2kWSAMcmACHNxQOxY/M3115TGzkJnZbrim
         k86wKqeZfRNQ3hveulZp/4MVw9zP4mjCixqk1fXpX5A500LlaAR+5s5OOjyw9HIEDWE8
         PieQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:content-disposition
         :mime-version:message-id:subject:to:from:date:dkim-signature;
        bh=JPDTuU1KnT4imMfQFt3NF1AkrQ8ighWpONZCIjWty8k=;
        b=DzMlFoLh/wrfAOpL04j5bzMfQqj7OTEjdMuK8iVuOiim8I9aHbpCm54VIjj4z9zPtN
         mWa7sDAcC2d+cuqv7yjQc8el2gnMltxPFWeAw7qNLma3jQEn+84Xdly+kA/dbTtAkX53
         OBllOT8AE1Bl3hMKO6JA1zLP3f0DV2uy/tciJiabZYE+8wqvB3AVjeuzzARrFjGTPn9L
         gdiCxL+/mRITS+w9g9RJg8ooDJEcuuLP5iacvtyn0qgpzCb0IbXJwU1BVhBc4Xp+8K1i
         O0CklkHidAdS/Oh2E7edy54YcdTEBbydxrIk5dGaVpxqhvzLGUlU1kt8RSiSRfSrxG8G
         ovCA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@brauner.io header.s=google header.b=Nq8XeflS;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d11si84294plr.323.2019.06.13.10.03.27;
        Thu, 13 Jun 2019 10:03:43 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@brauner.io header.s=google header.b=Nq8XeflS;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2393185AbfFMRDU (ORCPT <rfc822;hououinredflag@gmail.com>
        + 99 others); Thu, 13 Jun 2019 13:03:20 -0400
Received: from mail-wm1-f68.google.com ([209.85.128.68]:33562 "EHLO
        mail-wm1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729447AbfFLWyh (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 12 Jun 2019 18:54:37 -0400
Received: by mail-wm1-f68.google.com with SMTP id h19so5267977wme.0
        for <linux-kernel@vger.kernel.org>; Wed, 12 Jun 2019 15:54:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=brauner.io; s=google;
        h=date:from:to:subject:message-id:mime-version:content-disposition
         :user-agent;
        bh=JPDTuU1KnT4imMfQFt3NF1AkrQ8ighWpONZCIjWty8k=;
        b=Nq8XeflSpeNq85e0XL6YL6R2q9mdD488Rr1YrYR+xdjtkLsTPQ2J+RZ+++BpMD6zs4
         0PUUwrE079J3RlX/OYkGYC9YyuOcEvxfOqptTMqPnhFbZf51cS1TkTQ9shNS3Xmu8lsx
         LIgiKMllwi/VvpMIO63KrOTNKDCWxUyuXQuQOn/hk0cs1TLXFLsWrTHr16u4lAumEPal
         xZF48NOWp4DkVh8r8exkogr1ZfbxTHy6Q+3E5sGDd8BRh62mpDKONNBwxYDF8sMXCTBC
         RCCkc+wC5jS8dENlCKFJvHhLlIE5/3gbR6zPxnFgpahYIn1DIOkmO/0V6V3tLjJSwzEO
         UUyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:subject:message-id:mime-version
         :content-disposition:user-agent;
        bh=JPDTuU1KnT4imMfQFt3NF1AkrQ8ighWpONZCIjWty8k=;
        b=RYYP7Tr8WLFnGJoEnZ0TcUEXpz5RDHu6qMLu4J+VcCjS6kzSgSgeA66uaKxAyQ8QAE
         dNpj0urlOt5SJX9yWahHiEZihb9h3uybZGTGGnpTHRk7XlKbqDsnn+cBAIQsva2vR1wz
         u2TFF/kDn5WG7fZ1zlL5ArwipsV3Iny9gbBdQE0eoQrgkl/evAebAG6sXwlpYCv93mgl
         pAItWwYs+9p8cnA/DcTkTaolLQeevjfriURb8E16FO93c2xEZ2eq15DzOD1KqBif4h3g
         0O8mY+E24Hcr+hx9TtgRjcoPrHlJx4a8P0f6CtWHuhw3UEWsm+wpAcG4agT5/Al2dklZ
         43nA==
X-Gm-Message-State: APjAAAXMlZd3qcK5R8YzCasHm6EpLnrR7wgOkFpao+F8yDsmNzQJxxhN
        PBeUL/Q3lo1gj8/cfjFj4JrPFA==
X-Received: by 2002:a1c:acc8:: with SMTP id v191mr1006944wme.177.1560380074924;
        Wed, 12 Jun 2019 15:54:34 -0700 (PDT)
Received: from brauner.io ([212.91.227.56])
        by smtp.gmail.com with ESMTPSA id z14sm996092wre.96.2019.06.12.15.54.33
        (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
        Wed, 12 Jun 2019 15:54:34 -0700 (PDT)
Date:   Thu, 13 Jun 2019 00:54:33 +0200
From:   Christian Brauner <christian@brauner.io>
To:     viro@zeniv.linux.org.uk, linux-kernel@vger.kernel.org,
        torvalds@linux-foundation.org, linux-fsdevel@vger.kernel.org,
        linux-api@vger.kernel.org, dhowells@redhat.com
Subject: Regression for MS_MOVE on kernel v5.1
Message-ID: <20190612225431.p753mzqynxpsazb7@brauner.io>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
User-Agent: NeoMutt/20180716
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hey,

Sorry to be the bearer of bad news but I think I observed a pretty
gnarly regression for userspace with MS_MOVE from kernel v5.1 onwards.

When propagating mounts across mount namespaces owned by different user
namespaces it is not possible anymore to move the mount in the less
privileged mount namespace.
Here is a reproducer:

sudo mount -t tmpfs tmpfs /mnt
sudo --make-rshared /mnt

# create unprivileged user + mount namespace and preserve propagation
unshare -U -m --map-root --propagation=unchanged

# now change back to the original mount namespace in another terminal:
sudo mkdir /mnt/aaa
sudo mount -t tmpfs tmpfs /mnt/aaa

# now in the unprivileged user + mount namespace
mount --move /mnt/aaa /opt

This will work on kernels prior to 5.1 but will fail on kernels starting
with 5.1.
Unfortunately, this is a pretty big deal for userspace. In LXD - which I
maintain when not doing kernel stuff - we use this mechanism to inject
mounts into running unprivileged containers. Users started reporting
failures against our mount injection feature just a short while ago
(cf.  [1], [2]) and I just came around to looking into this today.

I tracked this down to commit:

commit 3bd045cc9c4be2049602b47505256b43908b4e2f
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Wed Jan 30 13:15:45 2019 -0500

    separate copying and locking mount tree on cross-userns copies

    Rather than having propagate_mnt() check doing unprivileged copies,
    lock them before commit_tree().

    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

reverting it makes MS_MOVE to work correctly again.
The commit changes the internal logic to lock mounts when propagating
mounts (user+)mount namespaces and - I believe - causes do_mount_move()
to fail at:

if (old->mnt.mnt_flags & MNT_LOCKED)
        goto out;

If that's indeed the case we should either revert this commit (reverts
cleanly, just tested it) or find a fix.

Thanks!
Christian

[1]: https://github.com/lxc/lxd/issues/5788
[2]: https://github.com/lxc/lxd/issues/5836