Al Viro <viro@xxxxxxxxxxxxxxxxxx> writes: > On Wed, Apr 08, 2015 at 06:32:58PM -0500, Eric W. Biederman wrote: >> >> - Add a dentry flag DCACHE_MOUNT_VIOLATED to mark loopback mounts that >> have had a dentry moved into a directory that does not descend from >> the mount root dentry. >> >> - In mnt_put_root clear DCACHE_MOUNT_VIOLATED. >> >> - Add a function path_connected to verify a path.dentry is reachable from >> path.mnt.mnt_root. AKA rename did not do something nasty to the bind mount. >> >> - Disable ".." when a path is not connected during lookup. >> (Maybe we want to stop ".." at this path instead?) >> >> Following .. is not disabled after a transition to / >> and is never disabled when / is the directory we start >> with. Because we already limit .. no higher than / > > IDGI. Am I missing something, or you really only set that flag in the > beginning of the pathwalk? At the bare minimum, you want to treat > nd_jump_link() the same way, or your protection is trivially defeated by > using /proc/self/cwd/$PATHNAME instead of $PATHNAME... nd_jump_link() is definitely an oversight. Doh! Starting at the root or starting at mount_root of a mount point that flag is not necessary. As we can obviously walk up as far as it is possible to go on that mount. Furthermore legitimize_mnt will fail if a problematic rename happens during the mount. The next patch limits what follow_up and follow_nup_rcu can do. So I have all of the normal operations covered, but I definitely need to take a second look to see if there are any additional locations like nd_jump_link where we can jump onto a path in the middle of a mount and need to test to see if it is connected. Eric _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
