use uniform permission checks for all mount propagation changes

JIRA: https://issues.redhat.com/browse/RHEL-107304
Upstream status: Linus
CVE: CVE-2025-38498

Conflicts: There is a fuzz 1 for hunk #1 in fs/namespace.c. This is due
  to the lack of upstream commit 86b1da9 ("attach_recursive_mnt():
  get rid of flags entirely"), and some earlier changes, which depends
  on a number of other patches that add function getname_maybe_null()
  among other changes. But the patches do to resolve the CVE and are
  well defined and without dependencies.
  Note that hunk #3 has been dropped from the upstream patch becuase it
  patched function do_set_group() which belongs to functionality (also
  described in the description of the upstream patch) not present in
  RHEL-9 and deemed no relevant to the CVE we are resolving.

commit cffd044
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Thu Aug 14 01:44:31 2025 -0400

    use uniform permission checks for all mount propagation changes

    do_change_type() and do_set_group() are operating on different
    aspects of the same thing - propagation graph.  The latter
    asks for mounts involved to be mounted in namespace(s) the caller
    has CAP_SYS_ADMIN for.  The former is a mess - originally it
    didn't even check that mount *is* mounted.  That got fixed,
    but the resulting check turns out to be too strict for userland -
    in effect, we check that mount is in our namespace, having already
    checked that we have CAP_SYS_ADMIN there.

    What we really need (in both cases) is
            * only touch mounts that are mounted.  That's a must-have
    constraint - data corruption happens if it get violated.
            * don't allow to mess with a namespace unless you already
    have enough permissions to do so (i.e. CAP_SYS_ADMIN in its userns).

    That's an equivalent of what do_set_group() does; let's extract that
    into a helper (may_change_propagation()) and use it in both
    do_set_group() and do_change_type().

    Fixes: 12f147d "do_change_type(): refuse to operate on unmounted/not ours mounts"
    Acked-by: Andrei Vagin <avagin@gmail.com>
    Reviewed-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
    Tested-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
    Reviewed-by: Christian Brauner <brauner@kernel.org>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

Signed-off-by: Ian Kent <ikent@redhat.com>

Author: Ian Kent

fs/namespace.c

@@ -2294,6 +2294,19 @@ static int graft_tree(struct mount *mnt, struct mount *p, struct mountpoint *mp)
 	return attach_recursive_mnt(mnt, p, mp, false);
 }
 
+static int may_change_propagation(const struct mount *m)
+{
+        struct mnt_namespace *ns = m->mnt_ns;
+
+	 // it must be mounted in some namespace
+	 if (IS_ERR_OR_NULL(ns))         // is_mounted()
+		 return -EINVAL;
+	 // and the caller must be admin in userns of that namespace
+	 if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN))
+		 return -EPERM;
+	 return 0;
+}
+
 /*
  * Sanity check the flags to change_mnt_propagation.
  */
@@ -2330,10 +2343,10 @@ static int do_change_type(struct path *path, int ms_flags)
 		return -EINVAL;
 
 	namespace_lock();
-	if (!check_mnt(mnt)) {
-		err = -EINVAL;
+	err = may_change_propagation(mnt);
+	if (err)
 		goto out_unlock;
-	}
+
 	if (type == MS_SHARED) {
 		err = invent_group_ids(mnt, recurse);
 		if (err)