On Wed, Apr 08, 2015 at 06:32:58PM -0500, Eric W. Biederman wrote: > > - Add a dentry flag DCACHE_MOUNT_VIOLATED to mark loopback mounts that > have had a dentry moved into a directory that does not descend from > the mount root dentry. > > - In mnt_put_root clear DCACHE_MOUNT_VIOLATED. > > - Add a function path_connected to verify a path.dentry is reachable from > path.mnt.mnt_root. AKA rename did not do something nasty to the bind mount. > > - Disable ".." when a path is not connected during lookup. > (Maybe we want to stop ".." at this path instead?) > > Following .. is not disabled after a transition to / > and is never disabled when / is the directory we start > with. Because we already limit .. no higher than / IDGI. Am I missing something, or you really only set that flag in the beginning of the pathwalk? At the bare minimum, you want to treat nd_jump_link() the same way, or your protection is trivially defeated by using /proc/self/cwd/$PATHNAME instead of $PATHNAME... _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
