Re: [PATCH v2 1/3] namei: implement O_BENEATH-style AT_* flags

From: Andy Lutomirski
Date: Tue Oct 09 2018 - 15:26:08 EST

Next message: James Morris: "Re: [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops [ver #2]"
Previous message: Todd Kjos: "Re: [PATCH] MAINTAINERS: Add me to Android drivers"
In reply to: Aleksa Sarai: "[PATCH v2 1/3] namei: implement O_BENEATH-style AT_* flags"
Next in thread: Aleksa Sarai: "Re: [PATCH v2 1/3] namei: implement O_BENEATH-style AT_* flags"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Oct 8, 2018 at 11:53 PM Aleksa Sarai <cyphar@xxxxxxxxxx> wrote:
> * AT_NO_PROCLINK: Disallows ->get_link "symlink" jumping. This is a very
> specific restriction, and it exists because /proc/$pid/fd/...
> "symlinks" allow for access outside nd->root and pose risk to
> container runtimes that don't want to be tricked into accessing a host
> path (but do want to allow no-funny-business symlink resolution).

Can you elaborate on the use case?

If I'm set up a container namespace and walk it for real (through the
outside /proc/PID/root or otherwise starting from an fd that points
into that namespace), and I walk through that namespace's /proc, I'm
going to see the same thing that the processes in the namespace would
see. So what's the issue?

Similarly, if I somehow manage to walk into the outside /proc, then
I've pretty much lost regardless of the links.

--Andy

Next message: James Morris: "Re: [PATCH 00/22] KEYS: Support TPM-wrapped key and crypto ops [ver #2]"
Previous message: Todd Kjos: "Re: [PATCH] MAINTAINERS: Add me to Android drivers"
In reply to: Aleksa Sarai: "[PATCH v2 1/3] namei: implement O_BENEATH-style AT_* flags"
Next in thread: Aleksa Sarai: "Re: [PATCH v2 1/3] namei: implement O_BENEATH-style AT_* flags"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]