Sorry, that patch won't fully fix the issue. If you had something like "/a/b/c" with "/a/b/c" as MNT_LOCKED then the attacker could rbind "/a/b" over "/a/b" and then make "/a/b" MS_UNBINDABLE -- which would be permitted (no single mount has MNT_LOCKED|MS_UNBINDABLE) but as an end result "/a" would be bindmounted without the "/a/b/c" mask.
Given that `mount --bind /something_unbindable /x` fails, I think that `mount --rbind /something_containing_an_unbindable_mount /x` should also fail -- irrespective of MNT_LOCKED (but I imagine -- since this is more drastic -- it might also be more contentious). I'll attach the corrected patch once I've tested it.
Sorry, that patch won't fully fix the issue. If you had something like "/a/b/c" with "/a/b/c" as MNT_LOCKED then the attacker could rbind "/a/b" over "/a/b" and then make "/a/b" MS_UNBINDABLE -- which would be permitted (no single mount has MNT_LOCKED| MS_UNBINDABLE) but as an end result "/a" would be bindmounted without the "/a/b/c" mask.
Given that `mount --bind /something_ unbindable /x` fails, I think that `mount --rbind /something_ containing_ an_unbindable_ mount /x` should also fail -- irrespective of MNT_LOCKED (but I imagine -- since this is more drastic -- it might also be more contentious). I'll attach the corrected patch once I've tested it.